With phishing attacks on the rise, it was imperative for the government to support “phish-proof” multi-factor authentication (MFA) technology that was also user-friendly, efficient and cost-effective.
After evaluating several options for authentication for login.gov, the government decided to support FIDO2 through the use of FIDO security keys and built-in FIDO authenticators like Windows Hello biometrics. Through comparison to other options, they found FIDO to check the box for security, usability, cost and compliance.
GSA rolled out authentication with FIDO2 in September 2018. With initial adoption equating to about 2,000, or 0.2%, of new users, GSA made it a requirement for users to register a second MFA option. As a result, the number of new FIDO2 security keys increased to 17,000 per month. In late June 2019, there were about 27,000 FIDO2 keys registered and the adoption rate has increased to about 3% of all new users, representing a significant increase from initial rollout.