Skip to Main Content
Home /

Agencies

Service Features

myHawaii is an identity platform designed to provide a modernized login experience for your customers and services. Below is a list of authentication features that help secure access to your critical, citizen-facing services:

  • Password Protection: Enforces industry-standard encryption and complexity requirements for secure local account passwords.
  • Multi-Factor Authentication: Supports OTP via text message or voice call, TOTP authenticator apps, and passkeys (biometrics or security keys).
  • Email Verification: Confirms user ownership to prevent fraudulent account creation.
  • Sign-in with Google: Allows users to sign in with their existing Google credentials for added convenience.
  • Self-Service Password Management: Enables users to change their passwords using registered MFA methods.
  • Profile Management: Allows users to update all relevant myHawaii account details in one place.
  • Fraud Protection: Evaluates real-time sign-in risks to enhance account security.

Roadmap

myHawaii will continue to evolve to better serve our citizens and connected services. Below is a general roadmap outlining potential enhancements for your services on this platform. While priorities may shift over time, this reflects our current direction for the future.

  • Publish an onboarding workflow for agencies, departments, and counties to streamline new application integration.
  • Enhance single sign-on support, allowing more users to access services with their existing identities.
  • Continuously improve fraud protection measures across the platform.
  • Enhance support for Identity Verification services.
  • Improve the user account and profile experience.
  • Enable support for WebAuthn authentication methods.
  • Implement contextual and device-based authentication.
  • Integrate authentication with mobile applications.
  • Expand support for Digital Identity solutions.
  • Create a unified Single Government Portal experience.

Security and Compliance

The myHawaii platform aligns with the security and privacy standards outlined in NIST 800-53, ensuring robust protection through the following control families:

Security Certifications & Compliance

The myHawaii platform meets industry-recognized security and privacy standards to ensure data protection and compliance with global regulations.

  • ISO 27017 – Cloud security best practices
    • Applied to: myHawaii IAM Services
  • ISO 27018 – Protection of personal data in the cloud
    • Applied to: myHawaii IAM Services
  • ISO 27001:2013 – Information security management system (ISMS)
    • Applied to: myHawaii IAM Services, myHawaii Threat Protection Services
  • AICPA SOC – Security, availability, and confidentiality controls
    • Applied to: myHawaii IAM Services, myHawaii Threat Protection Services
  • CSA STAR (Cloud Security Alliance Security, Trust, and Assurance Registry)
    • Level 1 Certification: myHawaii Threat Protection Services
    • Level 2 Certification: myHawaii IAM Services

Digital Identity Standards

The myHawaii platform aligns with NIST SP 800-63B Digital Identity Guidelines, supporting both IAL1 and AAL2:

  • NIST IAL1 (Identity Assurance Level 1)
    • IAL1 provides a secure and convenient way for users to access digital services using basic account credentials. It allows sign-in with a username and password, without requiring official document-based identity verification.
  • NIST AAL2 (Authentication Assurance Level 2)
    • AAL2 requires multi-factor authentication (MFA) to confirm user identity. Users must authenticate with two or more methods—such as a passkey, biometric, or one-time code—offering stronger protection than password-only access.
    • Passkeys and authenticator apps meet AAL2 requirements. Text message and voice call OTP are available for convenience but do not meet NIST AAL2 standards and should only be used for lower-assurance scenarios.

Security Controls

  • Access Control (AC): Fine-grained access control, information sharing, session management, least privilege, account management, access enforcement, control policy management, access control for mobile devices, RBAC, ABAC, PBAC, account lockout, and more.
  • Audit and Accountability (AU): Common Audit Framework, tamper evidence, encryption, and audited consent (integrated with Privacy Controls).
  • Identification and Authentication (IA): Identification and authentication services for users, services, and devices, supporting single-factor, multi-factor, and adaptive risk-based authentication, along with authentication policy management.
  • Physical and Environmental Protection (PE): IoT and sensor identification, authentication, and authorization using HTTP and industrial protocols, enabling unified credential, authentication, and authorization services for both Logical Access Control (LACS) and Physical Access Control (PACS).
  • System and Communications Protection (SC): Secure endpoint protection, security token management, encryption, transmission confidentiality and integrity, PKI, and protection of information at rest and in transit.

Privacy Controls

  • Authority and Purpose (AP), Individual Participation (IP), and Use Limitation (UL): User-driven constrained consent, and the ability to revoke consent for shared information.
  • Accountability, Audit, and Risk Management (AR): Common Audit Framework.
  • Data Minimization and Retention (DM): Encryption of Personally Identifiable Information (PII).

By implementing these security and privacy measures, the myHawaii platform ensures compliance with industry standards while providing a secure and user-centric authentication experience.

To get in touch with us for more information, agencies can reach out to their IT Coordinators.