State and local governments manage two distinct but equally vulnerable identity perimeters.
On the public-facing side, agencies deliver benefits, licenses, tax services, and records to millions of residents through online portals. The login pages for these portals have become prime targets for credential stuffing and identity fraud.
The second vulnerable perimeter is the workforce. Agencies must ensure that government systems can only be accessed by current employees and active contractors. Many state and local governments manage hundreds of systems. Many still rely on usernames and passwords, contain orphaned accounts from departed staff, and lack multi-factor authentication (MFA).
Both perimeters have been exploited in major breaches. Fraud rings abused weak public-facing identity proofing to steal between $100 billion and $135 billion in pandemic-era unemployment benefits, according to a 2023 Government Accountability Office estimate. On the workforce side, attackers have breached government systems through orphaned accounts. In one case documented by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in February 2024, a threat actor used a former employee’s administrator credentials to authenticate into a state agency’s VPN, access internal servers, and exfiltrate sensitive data.
These breaches are the result of identity controls built for an earlier era. Authentication based on passwords and standard MFA struggles to withstand high-volume attacks that leverage AI, Dark Web credential leaks, and telecom fraud techniques. Threat actors now intercept one-time passcodes and compromise phones used as second factors.
This blog examines how traditional identity verification and access management controls are increasing risk for state and local government agencies. It also explains how identity threat detection and risk mitigation can strengthen existing defenses and better protect public sector systems.
Why traditional controls are buckling under pressure
Existing security controls are failing for two reasons. Technology has stagnated, and threats are evolving faster than policy.
For years, government agencies relied on a familiar toolkit. This included passwords, directory services such as Active Directory, VPNs for remote access, and knowledge-based verification for the public. These controls were supported by manual processes, including in-person identity checks and document reviews.
As public services moved online, these tools did not evolve fast enough. Many agencies simply replicated password-based logins on web portals without adding device recognition or dynamic risk scoring. They continue to trust a user’s identity based on a username, a password, and sometimes a secret question. Threat actors, however, have become far more skilled at impersonation.
Another challenge is account sprawl. A mid-sized state agency may operate dozens of applications, each with its own user store. Users rotate frequently across employees, contractors, and partner organizations. Without a centralized Identity and Access Management (IAM) program, some accounts inevitably become orphaned. These accounts create opportunities for attackers to gain access unnoticed.
Third-party access compounds this risk. Vendors and service providers often receive credentials but are not always subject to the same onboarding and deprovisioning processes as full-time staff. CISA and other authorities have warned that any valid credentials can serve as a gateway for threat actors, including those belonging to external partners.
The core issue is that legacy identity controls cannot withstand modern fraud techniques. Today’s attackers use leaked data, automated tools, and AI-powered fraud services. These capabilities dramatically increase the risk of relying on credentials alone.
How state and local governments can modernize identity controls
Modernizing identity security is complex. Agencies face a wide range of options, including phishing-resistant MFA, risk engines, identity verification services, and reporting tools. The volume of solutions can make it difficult to build a cohesive strategy.
The first step is to treat every login and enrollment as a risk decision. The National Institute of Standards and Technology’s (NIST) Zero Trust Architecture describes a policy engine that uses organizational rules and external risk signals to grant, deny, or revoke access. Enforcement points then enable, monitor, and terminate sessions.
This requires inserting risk-based identity controls at the moment when identity breaks most often. These include login, account creation, MFA enrollment, account recovery, and privileged actions. Each interaction should consider risk signals that passwords and MFA alone cannot capture. Examples include SIM swap risk, network reputation, and evidence of credential exposure.
Rather than deploying disconnected point tools, agencies can adopt a comprehensive identity threat detection and risk mitigation platform. This platform should integrate with existing SSO and IAM systems to enforce consistent security across all applications.
For example, ID Dataweb evaluates every login and account creation attempt in real time. It assesses whether a device is known or new, whether the network is high risk, whether a phone number shows signs of SIM swap activity, and whether the username or email has appeared in recent breaches. It builds this risk profile by combining telecom, device, behavioral, and network risk signals.
Based on this assessment, ID Dataweb enforces policy-driven access decisions across an agency’s environment. Low-risk logins proceed without friction. Higher-risk attempts trigger stronger identity verification. Because decisions are based on real-time risk signals, authentication adapts to context and threat conditions.
Conclusion
For state and local agencies, strong identity controls are no longer optional. They are mission critical for security and public trust. Weak logins and fragmented verification processes have contributed to costly breaches and fraud.
Modern identity threat detection and risk mitigation enables agencies to stop fraud at the moment it occurs instead of discovering it months later. Adaptive authentication also reduces the traditional tradeoff between security and usability.
ID Dataweb brings together continuous verification, diverse identity data sources, and automated response orchestration in a single service that can be deployed quickly.
For agencies facing growing identity threats, speed and consistency are essential. Rather than spending months integrating separate tools, state and local governments can layer a unified platform onto their existing SSO and IAM infrastructure and begin enforcing stronger identity controls immediately.
