Agencies still rely on username-password for access management
Connecting state and local government leaders
Even though more secure identity access management solutions exist, 86% of federal, state and local government respondents said that usernames and passwords are their most-used authentication method, according to a recent survey.
Most agencies at the federal, state and local levels still rely on username and password combinations for identity access management (IAM), a new report found.
The finding is part of the “2022 Public Sector Identity Index Report,” released this month by Market Connections on behalf of Auth0, an Okta product unit. It surveyed 200 federal and 200 state and local government workers between September and October 2021.
Overall, 86% of the respondents said that usernames and passwords are their most-used authentication method. State and local governments have a slight edge over federal agencies, with 89% using them, compared with 84%, respectively. Sixty-five percent of respondents said they use two-factor authentication, and only 19% said they use biometrics or passwordless authentication.
“One of the things that surprised me – the biggest one – was the overreliance on username and password as their main identity access management solution,” said Jared Shellaway, assistant vice president for research services at Market Connections. “There’s lot of other things out there these days – two-factor authentication, all sorts of other things. [Username and password] … is not the most secure.”
To broaden the adoption of more secure access management, agencies must understand the risks of using the username-password combinations vs. other methods of securing their digital services, the report states.
Thirty-nine percent of respondents said they build their own IAM solutions – 41% among state and local agencies. Another option for agencies is outsourcing. “They’ve stated that it’s a pain point to do it internally; they don’t have the resources,” Shellaway said.
The pain points associated with that, as Shellaway said, relate to resources. Thirty-five percent of state and local respondents cited a lack of staff or resources to manage IAM internally, while 34% of federal respondents said their current solutions aren’t scalable. Only 10% of state and local respondents had that concern.
“I think what they need to do, first of all, is explore what the options are out there,” Shellaway said. “Starting small or even developing a plan, a road map for identity access going forward is going to be key," he said. Agencies should also consider outsourcing. “In a lot of cases, some of the products and services that companies can offer are available at maybe less than they think it will cost.”
Overall, about 60% of respondents are confident in the security or ease of use of their authentication solutions, but accessibility is a bigger concern, with many having low confidence in their solutions’ accessibility via mobile, for example.
Many – 64% overall, 61% at the federal level and 66% at the state and local level – said having one digital credential across services is important, but only about half have one. The most-cited aspects of a single IAM system are meeting compliance riles and regulations (74%) and maintaining centralized control over user authentication.
Among federal respondents, the most important aspect is ensuring data security and privacy, while having a framework that allows adapting solutions in stages is the top reason for state and local agencies.
The report offers six action for agencies to take, most of which focus on cultural, rather than technological, changes. They include marketing the risks and benefits of authentication and attaching IAM to expanding digital services, getting stakeholders to see the value and benefits of a single credential across services and adopting solutions to boost public trust in government.
“The biggest issue of not providing services online is the issue of equity -- for all the citizens to be able to access the services equally,” Shellaway said. “The risk they have when not implementing identity access management solutions is really security. The goal is to be able to log into one place and have it know you are connected through other levels of government.”
Stephanie Kanowitz is a freelance writer based in northern Virginia.