Published: October 6, 2021

Strengthening your government’s guard against the threats that compromised passwords pose is a necessary control for decreasing the risk of unauthorized users gaining access to your computers, network or database. In this post, we explain how passwords get compromised and how multi-factor authentication (MFA) can help governments improve their account security to better protect their systems.

How passwords get compromised

Once a password is compromised, cybercriminals can enter your system and cause trouble, including taking over your system or stealing or destroying your data. Common practices like password recycling, weak passwords and phishing can lead to compromised credentials.

If your employees reuse passwords on multiple personal and work sites—and if just one of those sites has a data breach—then a hacker could try to use that same password to access information on other sites. And employees who use weak passwords that a hacker’s software can easily guess increases your risk of unauthorized access to your systems, especially if they are recycling weak passwords across personal and work accounts.

Finally, phishing is a common way employees unintentionally share their credentials. Sophisticated phishing attempts through email or fillable forms can easily trick employees into sharing their passwords, thus granting hackers access to your system.

Using MFA to protect your systems

The best way for your government to protect itself against compromised credentials is to adopt MFA, which requires more than just a password to access your systems and information. MFA is a security practice that requires users to access your system using a combination of the following types of additional information:

  • Something they know, such as a password, pin or security questions
  • Something they have, such as a cell phone where they can retrieve a texted code, a hardware security key, or a smart card with an embedded chip
  • Something they are, usually a biometric like a fingerprint or voice recognition

You want to require at least two verification factors, but you can use more for added security. That’s the difference between two-factor and multi-factor authentication.

By far, the most common combination of MFA for internet-facing systems is the use of a password and a texted code to a cell phone. However, it is possible for these text messages to be intercepted, so other forms of MFA might be used to increase security, such as an authenticator app or a hardware security key.

To strengthen your government’s cybersecurity posture, you should use MFA for any system that contains confidential or sensitive information and any system that allows remote access or interfaces with the Internet.

Implementing MFA

Not sure if your systems are equipped with MFA? Start by asking your IT security employees (or service provider) if MFA is used on all systems that meet the criteria above. If their answer is no, ask them why these systems don’t require MFA. You may need to help resolve a funding gap, realign organization priorities, or overcome other technical issues.

If software your government uses came with a MFA option, make sure it is enabled. You should also contact your email service or vendor to find out if MFA is available and, if so, the steps you need to take to activate it. If MFA isn’t an option, evaluate whether you want to keep using that product or service or find something new with better security features. If you do decide to keep using it, prepare a risk assessment that clearly defines your rationale and the mitigating controls you established.

Protecting your systems if MFA isn’t an immediate option

If your government can’t implement MFA right now, put the following safeguards in place:

  • Monitor user logs for unexpected or suspicious activity, such as someone logging in during the middle of the night or from another country. Monitor vulnerable systems like email servers, your virtual private networks (VPNs), network management systems, or other business systems that contain critical or sensitive information.
  • Use separate, dedicated user accounts to perform administrative tasks. This can help prevent malicious software from being run with administrative privileges.
  • Educate users on the importance of creating unique passwords in both their personal and professional life. Tools like password vaults can help employees manage multiple passwords.


Cybersecurity & Infrastructure Security Agency (CISA): Multi-factor Authentication

For a technical resource from the National Institute of Standards and Technology (NIST): SP 800-63B, 4.1.1.

Contact us

Have a question about cybersecurity measures like MFA? Submit your questions to our IT Audit technicians using the HelpDesk in the client portal. We hope you find the information in this article helpful, and we encourage you to email SAO’s Center for Government Innovation at with your questions, comments, or recommendations for new resources.

Share this on social!
Share on facebook
Share on twitter
Share on linkedin
« back to Audit Connection Home