Security

Ways to Implement Multifactor Authentication Without a Mobile Device

State and local agencies have options for strengthening security for signing in to accounts.

Tanya Candia is an international management expert, specializing for more than 25 years in information security strategy and communication for public- and private-sector organizations.

Passwords are hard to remember and even harder to change periodically, and it’s increasingly difficult to devise strong credentials. Instead of confronting the challenge, many users rely on weak passwords and reuse them for multiple accounts. This makes it easy for cybercriminals to guess credentials or obtain them via phishing attacks.

Once gathered, credentials can be sold on the dark web. Then, both the original criminal and hordes of other attackers can gain access to personal and work-related systems and data.

Two-factor authentication (2FA) and multifactor authentication (MFA) are accepted ways to make credentials much less vulnerable. 2FA relies on a combination of something you know (e.g., username/password) and something you have (e.g., your mobile phone or computer, a keycard or a USB) or something you are (e.g., a scan of your iris or fingerprint) to ensure that only authorized individuals can access sensitive systems and information.

MFA can involve all three factors. With MFA, even if the username/password combination is stolen, accessing an account is extremely difficult because criminals won’t be able to complete the additional authentication steps.

Click the banner below to get access to customized content by becoming an Insider.

When MFA and Mobile Devices Don't Mix

Common methods of implementing MFA often rely on the use of mobile devices. When an SMS message, a one-time password or a push notification is sent, it is commonly delivered to a user’s smartphone. However, many state and local government employees and contractors can’t use mobile devices for MFA, due to insufficient cellphone coverage in their areas, union restrictions or compliance mandates. Others are reluctant to use their personal mobile devices for work functions or to allow administrators access to their devices.

In addition, there are some risks associated with sending SMS, one-time password or push notifications for multifactor authentication. When implemented improperly or as the sole security method, messages could be hacked and codes intercepted. In fact, the U.S. government has recommended that no MFA solution should rely solely on SMS verification tools.

EXPLORE: How security authentication tokens can help prevent cyberthreats.

Ensuring Protection Outside of Mobile-Based MFA

To fill these gaps and ensure 100 percent MFA coverage, state and local agencies may consider hardware security keys. The key is typically a physical device, often a USB drive that only grants access to accounts while it is plugged into a computer. It provides a high level of protection against phishing and hacking because no one can access an account without both the login credentials and the key. And it does not rely on a phone.

Another solution may be Login.gov, the General Services Administration’s cloud-based remote identity proofing platform. When the program launched in 2017, it was only available to federal agencies, but it is now open to a variety of federally funded state and local government programs. Login.gov provides strong authentication to allow the public to access participating programs, using MFA from desktops as well as mobile devices. The user need only set up a Login.gov account, create a strong password and then select one or more additional authentication methods. These include security keys, authentication applications, biometric methods, and personal identity verification or common access cards.

Another solution may be Login.gov, the General Services Administration’s cloud-based remote identity proofing platform."

How Login.gov Handles Authentication

Some Login.gov authentication options do not require a mobile device:

Security keys: These physical devices provide the highest level of protection against phishing and hacking if lost or stolen. To be used with Login.gov, security keys must meet Fast Identity Online standards. Examples include YubiKey keys, which support many protocols and are compatible with a wide range of online services.

Authentication applications: These applications, when downloaded to a computer, generate secure, six-digit codes used to sign in to accounts. The app is more secure than phone calls or text messages, which are susceptible to phishing, hacking or interception by cybercriminals who can reroute messages. Examples of authentication applications are 1Password and OTP Manager for Windows and Mac devices and the Authenticator extension for Chrome.

REVIEW: How a new application is transforming the way Texans interact with state government.

Biometric authentication: Facial recognition and fingerprint sign-in to Login.gov accounts are phishing-resistant methods, but they come with some limitations. They can only be used on devices that support them, and they are specific to both the device and the browser. In most cases, users will need to purchase and install hardware for fingerprint recognition or a biometrically enabled camera.

PIV or CAC: Personal identity verification or common access cards are secure options for federal government employees and military personnel. They are resistant to phishing and difficult to hack if stolen. However, these cards are not available to everyone.

Backup codes: If all else fails, Login.gov can generate a list of backup codes, each of which can be used only once when logging in. This is the least secure option for MFA; codes must be printed out or written down, making them just as vulnerable as passwords written on sticky notes left on a desk. Users who choose backup codes as their preferred MFA method need to closely guard the codes.

MFA methods that rely on mobile devices can be convenient, but there is a need for equally strong alternatives. Login.gov provides multiple MFA authentication options, extending the reach of strong authentication to those who can’t or won’t use mobile devices.

tsingha25/Getty Images