NYDFS AI generated MFA topic

NYDFS Requirements for MFA: An Overview

The New York State Department of Financial Services (NYDFS) has instituted stringent requirements for multi-factor authentication (MFA) under its Cybersecurity Regulation (23 NYCRR Part 500). These regulations are designed to bolster the security of financial services firms operating within New York, in alignment with guidelines from the National Institute of Standards and Technology (NIST). The aim is to provide a solid framework for implementing MFA to guard against unauthorized access, ensure regulatory compliance, and keep up with evolving cybersecurity threats.

NYDFS MFA Requirements

Under the NYDFS Cybersecurity Regulation, MFA is mandated for:

1. Any individual accessing a covered entity's internal networks from an external network1.
2. Remote access to third-party applications, including cloud-based apps containing nonpublic information2.
3. All privileged accounts, except service accounts that prohibit interactive login3.

Starting November 1, 2025, MFA will be required for any individual accessing a covered entity's information systems, irrespective of location, user type, or the nature of the information, unless equivalent controls are approved in writing by the CISO4. Non-compliance can lead to significant fines, exemplified by the $3 million penalty imposed on a life insurance company for failing to implement MFA on email applications5.

NYDFS and NIST Overlaps

There are several key overlaps between NYDFS and NIST guidelines:

• Both require MFA for remote access to internal systems and emphasize safeguarding sensitive information from unauthorized access6.
• They advocate for using phishing-resistant MFA methods, such as cryptographic authenticators like PIV/CAC cards and FIDO2/WebAuthN, and discourage using vulnerable methods like SMS/PSTN-based authentication7.
• NIST provides comprehensive implementation steps, including reviewing current systems, selecting appropriate authenticators, considering single sign-on solutions, and managing access. These steps align with NYDFS recommendations for validating MFA effectiveness through penetration tests, audits, and vulnerability scans8.

MFA Implementation Plan

Implementing MFA within an enterprise environment involves several crucial steps:

1. Secure Management Buy-In: Educate leadership on the value of MFA and secure executive support for the initiative9.
2. Choose a Phishing-Resistant Solution: Select an MFA solution that integrates seamlessly with existing systems and offers adaptive, contextual authentication10.
3. Plan a Phased Deployment: Start with a pilot program and gradually expand to other user groups while ensuring compliance with NYDFS and NIST regulations11.
4. User Education and Training: Implement a communication plan, conduct training sessions, and collect continuous feedback to enhance the implementation and user experience12.
5. Monitor and Maintain the MFA System: Ensure continuous monitoring, conduct regular audits, and develop incident response plans to stay abreast of evolving security threats and technological advancements13.

Recommended MFA Solutions

When selecting an MFA solution, organizations should prioritize those offering phishing-resistant authentication methods, such as FIDO2 security keys, smart cards, or biometric authentication. Top enterprise MFA solutions include:

• Silverfort: Enables MFA for all access scenarios, including legacy systems and IT infrastructure14.
• Okta Adaptive MFA: Provides contextual and adaptive authentication15.
• Duo Security: Offers a range of secure MFA options16.
• Microsoft Azure AD MFA: Seamlessly integrates with Microsoft's cloud services17.

These solutions help organizations comply with NYDFS and NIST guidelines by ensuring comprehensive MFA coverage, reducing reliance on vulnerable methods like SMS, and balancing security with usability through adaptive authentication policies.

Footnotes

1. Beyond Identity ?
2. DFS NY.gov ?
3. DFS NY.gov ?
4. Beyond Identity ?
5. Govt. Westlaw ?
6. Beyond Identity ?
7. Govt. Westlaw ?
8. Blog Hypr ?
9. Beyond Identity ?
10. Govt. Westlaw ?
11. Blog Hypr ?
12. Beyond Identity ?
13. Govt. Westlaw ?
14. Blog Hypr ?
15. Beyond Identity ?
16. Govt. Westlaw ?
17. Blog Hypr ?