The State of Michigan’s Department of Technology, Management &  Budget (DTMB) is a principal department of the state’s government  responsible for providing a wide range of support functions to other state  agencies.  

The department’s broad spectrum of responsibilities includes technology  services, labor market information, facilities management, financial  services, procurement, retirement services, real estate management, the  Michigan public safety communication system, fleet and records  management, and more. 

The DTMB also plays a crucial role in cybersecurity for the state,  providing resources and tools to protect against cyber threats and  manage the State’s IT infrastructure. One of the DTMB’s efforts is the  MiLogin digital identity solution, which enables over 10 million users to  access state government services securely and conveniently. 

DTMB was looking to secure MiLogin, Michigan’s application that allows  users to access multiple state applications and services with a single user  ID, with strong authentication that improves user experience and decided  to go with passkeys, based on FIDO authentication. 

Passkeys are a password replacement that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are resistant to phishing, are always strong, and are designed so that there are no shared secrets.

Key Objectives 

The State of Michigan aimed to address several key objectives with the integration of passkeys:

Enhance the digital user experience.  

The goal was to streamline the digital user experience, particularly in providing users with seamless access to critical state  government services. DTMB aimed to simplify the login process, making it more user-friendly and efficient. 

Reduce help desk support dependency.  

Recognizing the strain on help desk resources due to login access issues, DTMB sought to reduce users’ need to access help desk support. By implementing changes to enhance the login process, the goal was to empower users to navigate.

Fortify security resilience.  

There is no shortage of risk and vulnerabilities associated with traditional username and password authentication. A key  objective was to fortify the system against security threats and phishing incidents, by adopting advanced FIDO strong  authentication to mitigate the risks commonly exploited by bad actors seeking unauthorized access.

The Importance of Open Standards and Interoperability 

Before deciding to implement passkeys, the DTMB explored a proprietary passwordless login solution offered by a cloud based identity-as-a-solution (IDaaS) provider. However, the solution lacked the interoperability required. 

The DTMB determined early on in its process that open standard and interoperability were critical and required  components of its strong authentication strategy.  

A standards-based approach provides interoperability across popular device types and web browsers, maintains vendor  neutrality, allows for cost savings through community adoption, and a pathway to adopt future innovations in the FIDO  ecosystem. 

The Solution: FIDO Drives Results 

Passkeys checked all the boxes for the DTMB, utilizing open standards and an interoperable approach for authentication.

The DTMB found that passkeys provide the following advantages:

  • Passkeys are based on open standards, ensuring interoperability without  necessitating additional software for users to download. 
  • Multiple vendor support for FIDO standards and the tech’s rapid  adoption promotes the long-term continuity of FIDO authentication as a  service. 
  • FIDO standards accommodate various authenticator types (such as  biometric sensors, hardware keys, etc.) across desktop and mobile  devices, catering to the DTMB’s user base’s diverse authentication  requirements. 
  • Prioritizing user and ecosystem partner security, passkeys provide strong  phishing resistance. 

MiLogin’s Path to Passkeys 

The DTMB’s passkey rollout involved a meticulous process to ensure a seamless, secure transition. 

Extensive research on passwordless authentication solutions was conducted, engaging the DTMB’s cybersecurity review  board in the evaluation process. Upon selecting passkeys for further exploration, the DTMB delved into the analysis of  various FIDO options and sought feedback from the National Institute of Standards and Technology (NIST). 

Working together with Deloitte, which is the DTMB’s trusted systems integrator for the State’s enterprise digital identity  solution, a comprehensive strategy was planned for the design, development, and implementation phases. 

In the design phase, insights from the FIDO Alliance’s usability study results were working into screen and workflow  designs. Findings from the DTMB’s MiLogin human-centered design usability study were also used to create a user  experience tailored to address the diverse needs of various personas.  

The development phase focused on integrating MiLogin with FIDO authentication methods, accompanied by the creation  of animated user help guides and tutorial videos to drive greater user adoption. 

Post-implementation, the DTMB monitored production metrics and gathered feedback from end-users, ensuring the  success of the implementation and identifying areas for functionality enhancements in future releases.

MiLogin’s Impressive Passwordless Results 

Within the first six months of release, MiLogin achieved impressive results for the State of Michigan:

  • 100,000+ customer devices enrolled in passkeys 
  • ~18,000 new passkey enrollments per month 
  • Increased FIDO-based logins with zero reported issues 
  • Decreased help desk initiated password resets with 1,300 fewer calls  related to password resets in a single month. 

“I am proud that our MiLogin team has brought passwordless authentication to our public  digital identities. Passwordless brings additional protections to our public digital identities, and  helps protect our systems from account takeover attempts such as brute force and password  spray attacks.”  

– Jayson Cavendish, Chief Security Officer, State of Michigan, DTMB 

The Road Ahead for Passwordless in the State of Michigan 

The State of Michigan anticipates a significant increase in passkey adoption, targeting over 10 million public users.  They also plan to implement passwordless authentication for their workforce, integrating with their state directory  services solution. 

FIDO authentication is a part of the State of Michigan’s Zero Trust Identity strategy to establish a secure identity in citizen  interactions with state services. It will also improve the user experience, generate cost savings for the state, and increase adoption of the State’s digital identity solution by diverse state agency partners. 

So what advice does the DTMB have for other other organizations? The State of Michigan recommends understanding  diverse user bases and use cases, prioritizing user experience, and incorporating usability studies, clear end-user messaging,  and a well-designed communication plan for a successful FIDO authentication implementation.


More

SURF Uses FIDO2 to Protect Users in the Netherlands

SURF is the shared IT organization for research institutes and universities in the Netherlands. The…

Read More →

How CZ.Nic uses FIDO Authentication 

The Company:  CZ.nic is a domain registry organization in the Czech Republic that has been…

Read More →

How CVS Health Uses FIDO to Secure Its Users

CVS Health is a U.S. healthcare organization that includes multiple operating divisions including retail with…

Read More →