When MFA and Mobile Devices Don't Mix
Common methods of implementing MFA often rely on the use of mobile devices. When an SMS message, a one-time password or a push notification is sent, it is commonly delivered to a user’s smartphone. However, many state and local government employees and contractors can’t use mobile devices for MFA, due to insufficient cellphone coverage in their areas, union restrictions or compliance mandates. Others are reluctant to use their personal mobile devices for work functions or to allow administrators access to their devices.
In addition, there are some risks associated with sending SMS, one-time password or push notifications for multifactor authentication. When implemented improperly or as the sole security method, messages could be hacked and codes intercepted. In fact, the U.S. government has recommended that no MFA solution should rely solely on SMS verification tools.
Ensuring Protection Outside of Mobile-Based MFA
To fill these gaps and ensure 100 percent MFA coverage, state and local agencies may consider hardware security keys. The key is typically a physical device, often a USB drive that only grants access to accounts while it is plugged into a computer. It provides a high level of protection against phishing and hacking because no one can access an account without both the login credentials and the key. And it does not rely on a phone.
Another solution may be Login.gov, the General Services Administration’s cloud-based remote identity proofing platform. When the program launched in 2017, it was only available to federal agencies, but it is now open to a variety of federally funded state and local government programs. Login.gov provides strong authentication to allow the public to access participating programs, using MFA from desktops as well as mobile devices. The user need only set up a Login.gov account, create a strong password and then select one or more additional authentication methods. These include security keys, authentication applications, biometric methods, and personal identity verification or common access cards.