IAM Modernization for State & Local Governments

State and local governments are rapidly modernizing digital services to better serve their constituents, but just as public sector agencies digitize, cyber threats and operational complexity are growing just as fast. Scammers are leveraging GenAI for everything from deepfakes and voice cloning to personalized phishing and fake AI platforms that steal login credentials. Because fraud losses can rapidly get out of hand, fraud prevention is a critical part of any organization's strategy. The result? Billions lost to fraud, rising citizen mistrust, and friction-filled digital experiences that undercut service delivery goals. But there's a better path forward.

This guide explores how modern identity and access management (IAM) solutions help public agencies unify and secure digital experiences, reduce fraud and abuse, defend against AI-driven threats, and streamline operations. Learn how you can deliver secure, seamless access to residents, employees, and partners, while building trust, improving efficiency, and protecting public resources.

How Do You Get Fraud Prevention Right?

• The changing fraud landscape and its impact on your counter-fraud strategy
• The multi-step fraud prevention process and the various tools available for your counter-fraud toolbox
• The relationship between fraud prevention and citizens and third-party experiences
• The path to a dynamic counter-fraud strategy

How Do Fraudsters Exploit Government Agencies?

Cybercriminals are not a homogenous group. The word “fraudster” brings to mind the image of a shadowy figure in a hoodie hunched menacingly over a screen, but that may not necessarily be the case. Fraudsters vary widely in age and live in every country. Many work alone, but many others work in “fraud rings” run by nation states and/or for large, well-funded criminal organizations. Some of these criminals choose to work entirely online, while others are charismatic con-artists who charm information out of victims by posing as legitimate service providers, then use that information to access accounts. And of course, plenty of these bad actors make use of digital technology to greatly increase the scope and reach of their attacks.

The Tools Fraudsters Use to Commit Crimes

How State & Local Governments Can Prevent Fraud

Effective fraud prevention requires organizations to collect information about fraudulent activity to improve their defensive posture.

item-1-icon

item-1-icon-alt

Decorative icon

item-1-title

Fraud Detection

item-1-description

Fraud detection is the signal phase in which digital interactions are evaluated for fraud risk. Traditional detection methods focus on the transaction, but modern fraud detection tools can begin scanning sessions much earlier. The information gathered in the fraud detection phase forms the foundation for an effective counter-fraud response. There are many kinds of fraud and risk signals that an organization may collect, and most organizations opt for a layered approach to detection to ensure that fewer fraudulent sessions slip through the cracks. This means deploying multiple detection tools simultaneously to measure different things at different points throughout the session.

item-2-icon

item-2-icon-alt

Decorative icon

item-2-title

Decisioning Tools

item-2-description

Decision-making or decisioning tools are used to aggregate the signals from the detection phase and consolidate them down to a decision based on the perceived risk of the session and/or activity. These decisions are based on fraud thresholds and logic defined by internal fraud teams and enforced by authorization tools. Historically, many fraud teams have developed and built decisioning tools internally based on their specific requirements, but these homegrown tools are often difficult to keep up to date as new fraud detection methods come on board. The decisioning phase becomes more complex as organizations must scan for fraud throughout the user journey and may choose to initiate mitigation at different points throughout the session, for example, not only at the point of transaction but also when viewing saved personal information, changing profile information, and changing user settings. To set up automated, effective decisioning, fraud teams must define the logic that determines the risk levels that will trigger mitigation. This logic is housed in the decisioning tool, which should be set up to collect and analyze all sources of risk signals.

item-3-icon

item-3-icon-alt

Decorative icon

item-3-title

Mitigation

item-3-description

Fraud mitigation can come in several forms. Ultimately, any action undertaken to hinder a potentially fraudulent outcome can be considered mitigation. Mitigation may include killing a session, identity verification, or simply stepping up MFA to gain more assurance about a user’s identity. Unfortunately, mitigation measures run the risk of impacting user experience (UX). Deploying too many counter-fraud tools may make legitimate users perceive that they are being treated like criminals. That is why numerous signals (detection), brought together with unifying fraud logic (decisioning) that then leads to one of many actions to stop fraud (mitigation), creates the best balance between fraud prevention and the experience. To lessen the impact of fraud mitigation on UX, fraud prevention tools need to be integrated with other tools that also shape the user journey: authentication and access management tools as well as identity proofing and affirmation tools.

Use Case: Large-Scale Wireless Carrier & Retailer Serving U.S. Government Agencies

A company offering wireless services and internet for users, businesses, and government agencies came to Ping looking for a solution that would improve security and make it easier for their authorized resellers and employees to conduct business.

Client Challenges:

• No control over the types of devices and networks that resellers use
• MFA fatigue was beginning to compromise both security and experience
• Loss of productivity and sales due to repeated MFA prompts
• Increased e-commerce fraud, especially around the busy times of the year

Ping Solution — Fraud Detection (PingOne Protect):

• Deployed fraud solution to learn traffic patterns and behaviors, then implemented risk-based authentication to prompt MFA only in high-risk situations
• Fine-tuned PingOne Protect risk policies to set up MFA on anonymous networks
• Expanded threat insights by integrating logs with security tools

Final Result:

• Implementation took 3 months and covered 30 PingFederate policies, 200+ connections; the success rate was high with only 2 applications failing
• Reduced MFA prompts from multiple times per day to one time per week
• Decreased fraud activity without creating extra friction for trusted connections and internal employees
• Prompted additional security measures for anonymous and suspicious networks

Counter-Fraud Tools

As fraudsters advance their methods and fine-tune their approaches, fraud teams are racing to keep up. Manual review isn't enough anymore, so digital fraud management tools proliferate. These tools generally fall into one of several categories, broadly aligning to one or more of the steps of the fraud prevention process outlined above.

Payment Fraud Protection

Organizations will lose more from fraud as more services continue to shift to the online environment. Automated payment fraud protection tools can help improve fraud detection accuracy and decrease the need for workers to address issues manually. Payment fraud protection tools incorporate features such as risk rules, risk scoring, real-time monitoring, and velocity checking to detect and block fraudulent purchasing activity.

Bot Detection & Management

Many bots are designed to cause harm, but not all bots are bad. For example, Google uses good bots to index and rank web pages on Google search results. Bot detection and management tools aim to distinguish between good and bad bots and to determine which ones can access a website. This capability is critical: as important as it is to block bad bots, it is also important to allow good bots to ensure a website's visibility and relevance. Bot detection and management tools distinguish between human, good bot, and bad bot visitors and use machine learning and threat intelligence to detect fraudulent activity. These tools are effective in preventing bad bots from activities such as credit card fraud, inventory hoarding, and credential stuffing.

Behavioral Biometrics

As fraudsters become increasingly sophisticated, traditional security measures such as PINs are less effective. Behavioral biometrics are an increasingly popular tool to differentiate between humans and bots or between authorized and unauthorized human users. Whereas physical biometrics capture unchanging human features such as fingerprints, behavioral biometrics measure interactive human gestures. For example, the way we hold our phones, our scroll patterns, and our keystroke pressure and speed are micro-gestures that are unique to each of us. Digital tools are starting to use these biometric data to flag fraudulent activity when a specific user's behavior does not match their previous behavior on a website, or their behavior resembles that of a bot.

Device ID

Device identification focuses on devices rather than users. Information such as a device's type, IP address, local time zone, and browser language forms a "fingerprint" for the device and can help companies detect fraud. For example, if one specific device is linked to five different accounts attempting to make purchases on a website, device ID tools register potentially fraudulent activity. Some advantages of using device ID tools are that they do not require personal user data, and they can block returning fraudsters based on a device they tried to use previously.

Identity Proofing & Affirmation Tools

In the past, online identity was confirmed with usernames, email addresses, and passwords. Now, these measures are insufficient. Depending on the nature of their services, organizations must use different identity proofing tools to ensure that a user's claimed identity matches their actual identity. One component of identity proofing tools is the rapid scanning of a user's historical transaction data gathered from public and private sources. This is known as knowledge-based authentication (KBA) and is often seen as an antiquated method that adds too much friction. More modern methods include evaluation of a user's physical features. Some organizations use manual checks, such as having a user present a passport or driver's license over their computer camera. Others use facial biometric tools, taking a picture of a user's face over their computer camera to verify their identity.

Payment Orchestration Tools

Organizations use payment orchestration tools by orchestrating a complex transaction process in one hub. These tools help prevent digital threats from penetrating different parts of the payment process. Payment orchestration platforms collect and share data that can help organizations add points of friction for potential fraudsters while offering a smooth transaction process for authorized users. Payment orchestration tools are particularly helpful for preventing transaction fraud.

Authorization Tools

After authenticating users, the organization can then give users different levels of access within its website. Authorization tools grant or deny users permission using settings and parameters set by security teams and using access tokens. Some tools focus only on authorization, while others combine authentication and authorization features. By using authorization tools, organizations establish an infrastructure that determines the access and permissions of both outside users and internal company members.

Dynamic authorization tools—also known as attribute-based access control (ABAC) or externalized authorization management (EAM)—go well beyond traditional authorization tools by giving organizations the ability to evaluate any data set and enforce policy-based decisions on which actions are allowed based on that data.

Fraud & Financial Crime Hubs

Fraud and financial crime hubs—sometimes called decisioning hubs—are used to simplify and automate the decisioning process. These are often authorization tools with some orchestration capabilities. The goal of these tools is to simplify fraud management by centralizing fraud logic and decisioning. The greatest benefit of these tools is their promise to greatly reduce the need for manual review.

The Role of Fraud & Risk Teams

With the increase in e-commerce and the accompanying increase in online fraud, it is harder for most companies to monitor and prevent fraud manually without the help of automated tools. However, some companies rely exclusively on human teams for fraud detection and prevention. This decision is often based on the idea that human workers can more accurately identify fraud and decrease the rate of false detection by examining each case individually. These workers use their company-specific knowledge to tailor the company's fraud-prevention approach to the unique company context.

Nonetheless, there are downsides to employing a team specifically for fraud prevention: it is costly for businesses; the demands posed on these teams may vary significantly between sales-peak and sales-dip periods; and humans may take longer than automated tools to detect and prevent fraud, thus frustrating users.

Most organizations tend to take an approach of partial automation, with fraud and risk teams performing some manual reviews but also focusing on broader fraud-prevention strategies based on data from automated tools.

The Additive Nature of Fraud Prevention

Because methods for fraud are so sophisticated and rapidly evolving, counter-fraud measures must constantly adapt. This can be frustrating for companies that devote substantial effort to deciding on, developing, and implementing a counter-fraud strategy. Instead of emphasizing the use of specific tools and technologies, a counter-fraud strategy should focus on general principles for counter-fraud measures, such as determining the financial and human resources to devote to counter-fraud. Additionally, companies should adopt new counter-fraud technologies to enhance – not replace – previous ones. Taking an additive approach to counter-fraud can both improve the effectiveness of these measures and optimize companies’ resource investment in cybersecurity.

A Note on Identity Teams

While fraud teams often operated in a silo in the past, this is beginning to change. With the advent of new technologies in fraud detection, identity proofing, and access management, identity teams can now work together with fraud teams to the benefit of the broader organization. As the focus of fraud prevention shifts from protecting the transaction to protecting the end-to-end user journey, integrating identity and fraud tools into seamless and secure user flows can help both teams meet their metrics.

Building a Case for Integration: Fraud Prevention & the Broader User Journey

The Cost of Poor UX

State and local governments aren’t competing for customers in the traditional sense, but experience still matters. When digital services are difficult to access, confusing, or overly burdensome, residents don’t just “convert” less—they turn to call centers, in-person visits, or delay engaging altogether. While citizens expect a certain level of security when accessing government services, excessive friction creates barriers to adoption and erodes trust. Inconsistent or frustrating experiences ultimately drive people toward less efficient channels, increasing operational costs and limiting the impact of digital initiatives.

Security vs. Seamlessness: Finding a Balance

Citizens and third parties value security, convenience, and privacy. There is no perfect formula that will work for every organization, but taking an integrated approach to fraud prevention and user identity can help strike the right balance. The trick is to evaluate user sessions for fraud continuously and introduce friction by initiating mitigation only when it’s needed.

Bringing the Right Tools Together

The user journey is at the center of everything your organization does, and fraud prevention plays an important part. Standalone fraud detection tools are not effective if the information they collect isn’t being incorporated into the broader user journey. Fraud and identity teams can and should work together to orchestrate journeys centered around trust.

The Constant Evolution of the Counter-Fraud Strategy

Of course, even the model outlined above cannot remain static. Fraudsters are motivated, technically savvy, and endlessly inventive. New attack types emerge constantly, and fraud teams are usually left reacting to the changes in the fraud landscape. The whole landscape is so fast-moving that by the time an organization has defined, agreed on, and implemented its strategy, new threats may have emerged that make the strategy irrelevant.

An effective counter-fraud strategy must focus on higher-level principles rather than implementation details, helping the business make smarter decisions about the best approach to detecting, preventing, and managing fraud. Rather than committing to a specific set of tools and techniques, a well-defined counter-fraud strategy can outline the general principles for adopting, maintaining, and reinforcing counter-fraud measures through technology. A key point here is that this is an arms race; as fraudsters come up with new exploits, researchers and software companies develop new countermeasures. A pragmatic counter-fraud strategy will emphasize the need to stay up to date through continuous investment in both new technologies and people with the skills to apply them. Fraudsters aren’t sitting still, so fraud teams can’t afford to rest on their laurels, either. Your fraud prevention strategy will require constant review and regular updates to ensure you and your users remain protected.

However, with the right tools in your toolbox, you’ll have the agility to keep up with the fast-moving fraud landscape.

1. https://sift.com/index-reports-ai-fraud-q2-2025/
2. https://securitytoday.com/articles/2023/05/17/report-47-percent-of-internet-traffic-is-from-bots.aspx#:~:text=Imperva%20Inc.,increase%20ov