Nevada lawmakers are moving forward with spending up to $2 million to implement a statewide multi-factor authentication system aimed at upgrading computer security for the state’s workforce amid dozens of compromised passwords.

During a budget subcommittee meeting on Thursday, lawmakers agreed to move forward with spending $2 million in reserve dollars for the state’s Enterprise Information Technology Services (EITS) division to fund a multi-factor authentication platform — a two-step process that uses both a password and a piece of information that only the user has, such as a special code sent to a phone or email address, or even a special hardware token. 

The concept is aimed at boosting information security and lowering the chances of hacking or unauthorized access into a computer or web system — something the division said was necessary for the state’s workforce, which still use weak passwords that may lead to security breaches.

According to a budget closing packet, the division reported processing 65 tickets for accounts that “were compromised through the current single sign-on environment” in the 2020 calendar year, with the agency estimating that more than 80 percent of those compromised accounts were caused by weak or stolen passwords.

Though none of the 65 compromised accounts resulted in theft of confidential or personal information from state systems, the agency said that “poor password practices are less likely to be exploited due to the second factor of authentication providing an extra layer of protection,” according to the budget closing packet.

In an email, Department of Administration (where EITS is housed) spokeswoman Stephanie Klapstein said that 65 compromised accounts were “primarily the result of successful phishing attempts, for example when an employee clicks on a link in a phishing email.”

She reiterated that the division has no indication that any of the situations resulted in exposure or leak of data, and disables the account once discovered. She said the compromised accounts are less than half of a percent of accounts managed by the state, and the numbers of successful phishing attempts have gone down since the state launched training on the topic in 2018.

“Multi-factor authentication adds a critical statewide layer in the “security onion,” dramatically reducing the likelihood that any of our 18,000 accounts could be used by an attacker,” she said in an email. “It is also an important component of keeping the state compliant with federal security requirements.”

EITS noted that the Center for Internet Security, a nonprofit organization that sets best practices for securing IT systems and data, will require two-factor authentication technology as part of its standards starting in January 2022.

The state’s current minimum requirements for computer passwords include at least eight characters, one upper and lower case letter, one number, one special character and a password reset every 90 days.

The agency plans to contract with Microsoft Azure, obtaining more than 18,000 licenses for two-factor authentication at an annual cost just under $1 million per year.

Asked by Assemblywoman Brittney Miller (D-Las Vegas) if the state was moving forward with an “optimum solution” on two-factor authentication, EITS Administrator Timothy Galluzi said that moving forward with the Microsoft product made sense because the state already contracts with the company in using Office 365 products, and the service itself is considered “one of the industry’s top.”

“It is a solid solution,” Galluzi said. “And we are confident that it will provide the security necessary for the state. We want the state data and the constituent data to be as protected as we would our own personal banking information.”