STATETECH: Michigan’s MILogin single sign-on program seems to be a big success. What can you tell us about it?
CLARK: MILogin started as an executive order during a prior administration. Gov. Gretchen Whitmer has continued to prioritize and enhance its capabilities from where it began as a single sign-on portal with a couple of smaller applications. In 2014, we had about 2,400 users on that system.
We’ve expanded it to more than 300 application interfaces behind the MILogin portal for 16 different agencies, and we have now over 9 million digital identities stored in that service. Pre-pandemic, we had about 25,000 daily logins through MILogin. During the height of the pandemic, we hit almost 2 million. And now, we’ve leveled out at around 800,000 each day.
We know that this is the first point of interaction with our customers, and that’s one of the reasons we’re focusing on usability through a human-centered design approach and pushing out self-service abilities for our end users, so they can access government services when and where it is convenient for them.
STATETECH: Do your single sign-on portals require getting agency buy-in to have other applications participate in identity and access management programs?
CLARK: Michigan is highly centralized, so our service model is a little bit different. We support all of the agencies in application development. We have a policy that requires state applications to use MILogin as the identity and access manager. With all policies, there are exceptions, and we also have a lot of systems that were already built and had their own identity and access management processes in place. As those systems go through modernization, major modifications or enhancements, that’s when we’re trying to onboard those to MILogin.
We’ve realigned the MILogin team into our Cybersecurity and Infrastructure Protection organization, but it started in our Center for Shared Solutions. It’s all about identity and access management, so we’re on the journey to zero trust. MILogin is going to be one of the primary components for us to be able to implement zero trust, which is being able to identify and manage who’s accessing our systems, our data and our devices.