Multifactor authentication works. In some ways, it works too well. As cybersecurity continues to be top of mind for most state and local governments, the call for wider adoption of multifactor authentication protocols is growing louder.
The National Institute of Standards and Technology (NIST) recently introduced six pilots to bring multifactor authentication to state and local online services, reports MeriTalk. The city of New Orleans has also recently adopted multifactor authentication for its agencies, reports Statescoop.
“We live in a more in-demand society, where people have a stroke of genius any time of day, any time of night,” said Freud Alexandre, the city’s enterprise architect and security manager. “Now we have the ability for them to log in from anywhere, and as long as we know that they’re using that second factor, whether it be a device we already know that’s been fingerprinted or they use the soft token, they’ll have the ability to sign in and perform some of the tasks or duties they need to perform. So for us, it’s an extension of our environment anywhere in the world.”
But the trade-off for increased security from multifactor authentication can be reduced productivity and ease-of-use. It’s a delicate balance because most states and localities strive to be both secure and convenient, so the debate rages on.
Balancing Multifactor Authentication Benefits and Challenges
While security advocates are staunch defenders of using multifactor authentication, users can sometimes rebel against it as an obstacle to getting work done.
A recent survey by security vendor IS Decisions found that 47 percent of companies that use multifactor authentication say it negatively impacts productivity, reports Dark Reading. Furthermore, 18 percent say they rejected multifactor authentication because it took too much time.
While this data is drawn from the private sector, it has relevance to the public sector too, because more internal and external government technology users are demanding technology that’s as fast and convenient as their private-sector counterparts.
In areas where there’s overlap between the public and private sectors, multifactor authentication has been a point of contention. For example, in New York, Gov. Andrew Cuomo is rolling out new state-mandated cybersecurity measures for banks and insurance companies, reports SC Magazine. But multifactor authentication, which was advocated and pushed for, didn’t make it into the final guidelines.
"While we applaud the positive elements of the proposal, we believe it was a mistake to abandon the requirement for multifactor authentication for consumer banking that [New York state's first Superintendent of Financial Services] Benjamin Lawsky had previously called for," said John Gunn, vice president of communications at VASCO Data Security.
There are ways to mitigate the inconvenience that multifactor authentication brings. For example, in a July StateTech story, Joel Snyder advises organizations to implement single sign-on before multifactor authentication.
“There is no question that multifactor authentication is more cumbersome than a simple username and password; however, advances in single sign-on technology have reduced the number of times that users need to log on. Cut the number of logins down each day, and people won’t mind so much if their first one takes longer or is a little harder,” wrote Snyder.