blue background

Require MFA in Government

Make your organization significantly more secure from online threats. 

Enable Phishing-Resistant MFA to protect critical information 


Government systems—from emergency services to public health records to constituent information—are prime targets for cybercriminals. They may try to use vulnerable access points to steal information that connect them to critical infrastructure networks they can exploit. 

Strong passwords help, but they are no longer enough to keep accounts and systems secure when used alone. Multifactor authentication (MFA) adds an extra layer of protection by requiring two or more ways to verify a user’s identity. It’s a critical security control that helps ensure that only authorized users can access accounts. Even when attackers steal usernames and passwords through phishing or credential dumps, MFA can stop them from logging in. MFA is one of the most effective defenses against phishing attacks, brute force attacks and stolen or reused credentials. Ransomware incidents often begin with compromised credentials.  

According to National Cybersecurity Alliance’s annual Oh, Behave! survey, most regular MFA users secure banking and financial accounts, but far fewer protect work or social media accounts, highlighting the need for broader adoption. 

Implementing MFA into your policy is a simple, effective step that can block many common cyberattacks and significantly reduce the risk of account compromise.  


Protect Critical Infrastructure 

SLTT agencies often operate and support critical infrastructure systems that people rely on every day. Cyber criminals can use phishing or credential theft to steal passwords to gain initial access into systems. Without the second layer of protection MFA provides, a stolen or reused password may be all a criminal needs to disrupt critical public services. In sectors like emergency services, even brief system access could result in widespread consequences like delayed emergency response. 

Implementing MFA helps prevent unauthorized access, even if credentials are compromised, making it one of the most effective ways SLTT governments can protect operations and public safety.  


Block Digital Threats with MFA 

MFA is a simple, easy way to greatly increase your organization’s cybersecurity. Get started with these steps. 

  1. Require MFA wherever possible.  

    Work with your IT team to implement MFA across systems like email, file storage and remote access. Start with admin accounts and employees who handle sensitive data. 

    Leverage grant funding (like the State and Local Cybersecurity Grant Program or Tribal Cybersecurity Grant Program) to implement MFA solutions across departments. 
     

  2. Use the most secure MFA method you can. 

    Not all MFA methods offer the same level of protection. Any MFA is better than none, but some are much stronger at keeping attackers out. From most to least secure, here are the main options: 

    • Security key: Use a physical security key (like a YubiKey) to log in. It plugs in or taps your device. Provides the best protection against phishing and is easy to use.   
    • Authenticator app with number matching: Anapp pushes a prompt to your phone. You enter a number shown on the login screen to confirm.  
    • Authenticator app with one-time code: An app generates a new code every 30 seconds.  
    • Biometrics: Uses your fingerprint or face to confirm your identity. Usually device specific. Best when used with another method.  
    • Text or email code: A one-time code is sent to your phone or email. This is the form people are most familiar with, however it provides the weakest protection.

    Talk with your IT team to determine the right MFA solution for your organization.

a bar chart of different MFA security levels

 

  1. Make MFA a policy—not a preference. 

    Formalize MFA in your cybersecurity policies by mandating it for all users and requiring it in vendor and contractor access agreements.  

    Support your teams as they adopt MFA by providing clear guidance on how to enroll. Ensure helpdesk staff are trained to help with MFA issues. Train employees to recognize and report MFA fatigue and push notification abuse scams. 
     

printer icon with cybersecurity essentials fact sheet

Printable Tips

Get the Four Cybersecurity Essentials for SLTTs in one handy, printable summary. 

GET IT NOW

No-Cost Technical Guidance on MFA—Share with Your IT Team

Implementing Phishing-Resistant MFA Fact Sheet

Learn the different MFA methods and considerations for implementing the most secure options.  

Implement Strong Authentication Guide

Get practical advice for guiding your organization through moving to stronger authentication methods. 

Implementing Number Matching in MFA Applications

Learn how to use number-matching as a more secure option than mobile push for an interim step while planning your move to phishing-resistant MFA. 

Protect Government Services with Phishing Training

Require Strong Passwords in Government

Update Government Software

Secure U.S. State, Local, Tribal & Territorial Government

State, Local, Tribal & Territorial Government Resources

Cybersecurity Awareness Month