Skip to main content
aktuelle Themen
Featured Insights
alle Beratungsfelder anzeigen
alle Industrien anzeigen
About Us Overview
  • Home
  • Insights
  • NYDFS Releases and Revises Comprehensive Multi-Factor Authentication FAQs
Februar 25. 2026

NYDFS Releases and Revises Comprehensive Multi-Factor Authentication FAQs

Authors:
Generate PDF
Share

The New York Department of Financial Services (“NYDFS”) recently updated its Frequently Asked Questions to add several detailed new FAQs on the expanded multi-factor authentication (“MFA”) rule. As of November 1, 2025, NYDFS’s Cybersecurity Regulation, 23 NYCRR Part 500 (“Part 500”), requires MFA for all user access to all information systems. These new FAQs provide a level of detail that is unusual for NYDFS and underscores the Department’s focus on MFA as a critical cybersecurity control.

The new FAQs have already been revised, underscoring NYDFS’s continued focus on MFA. NYDFS initially published FAQs 18-23 on December 10, 2025, shortly after the expanded MFA requirements became effective. The Department subsequently amended two of the FAQ responses in early 2026, signaling that NYDFS continues to refine its interpretive guidance in response to industry questions and concerns. Covered entities should monitor the NYDFS FAQ page for further updates.

Each of the new FAQs is detailed below.

Background

In 2023, NYDFS amended its cybersecurity regulation, including significantly expanding its MFA requirement. The original rule required MFA for remote access. The amended rule, which went into effect November 1, 2025, requires MFA for all user access to all information systems. MFA is required regardless of location, type of user, or type of electronic information contained on the information system being accessed—a near universal MFA requirement. The amended rule retained the ability to use CISO-approved compensating controls instead of MFA.
NYDFS has emphasized that MFA is a critical cybersecurity controls and a high priority for supervision and enforcement. And MFA violations have been one of the most common charges in NYDFS cyber enforcement actions.

FAQ 18: What Qualifies as MFA Under Section 500.12?

NYDFS definition tracks the standard definition. MFA is two or more different types of verification from distinct categories: (1) knowledge (something you know); (2) possession (something you have); or (3) inherence (something you are). Using two or more factors from the same category does not qualify.

The Department stated that for a device to qualify as “something you have,” it must use cryptographic proof of possession; and that device recognition, policy-based controls, and software-stored certificates do not qualify because they can be copied or bypassed.

FAQ 19: What Does Not Qualify as MFA Under Section 500.12?

NYDFS notes that there are two categories of authentication that do qualify as MFA, specifically methods that (1) rely on a single factor; and (2) are not securely designed to verify a user’s true possession of a device or credential. Authentication methods that do not qualify as MFA include password-only authentication, browser cookies, and single sign-on (“SSO”) without MFA enforcement. Some policy-based mechanisms can serve as an MFA factor if the show cryptograph proof of possession and have certificates that cannot be exported.

The FAQ also identifies authentication methods that can be combined with other security controls to form a compensating control under 500.12(b). This includes 1) device identifiers without cryptographic proof of possession; 2) software-based certificates that are not cryptographically bound; and 3) device or credential-based mechanisms that rely on conditional, software store trust. 

The above is a revised answer from December FAQ. The original version stated more broadly that “policy-based mechanisms that do not confirm identity” do not qualify as MFA. The original also did not identify controls that could be combined with others to form compensating controls.

FAQ 20: What are the Risks Associated with Using a Push-Based Application as an Authentication Factor for MFA?

While NYDFS permits push-based applications as an MFA factor, it does cautions that it can be a weaker form of authentication. The FAQ states that these applications should be deployed with appropriate safeguards. Push-based application risks include MFA fatigue, where users may approve fraudulent login attempts by accident or to stop repeated notifications, and susceptibility to phishing. To mitigate these risks, the Department states that covered entities should enable number matching or challenge-response verification, display contextual login details such as location and IP address, and limit the number of push retries while enforcing adaptive MFA for suspicious activity.

FAQ 21: Can I Use MFA Through SSO Services?

The FAQ endorses the use of SSO that enforces MFA as compliant. While SSO alone does not meet the requirements; MFA must be enforced in connection with the user’s login to the SSO system But MFA is not required each time the SSO system shares the authentication token to downstream applications. NYDFS expects MFA enforcement to be centrally managed, apply consistently to all federated systems, and not be bypassed by legacy logins or direct application access.

FAQ 22: Do Cloud-Based Email, Document Hosting, and Related Services Require the Use of MFA Pursuant to Section 500.12?

Yes. Even when a covered entity uses a third party, those systems are still considered part of the covered entity’s information systems if they store, process, or transmit the covered entity’s nonpublic information. This FAQ reinforces NYDFS’s longstanding position that a lack of MFA for cloud-based services, such as O365 or G-Suite, has been a common problem leading to cyber incidents.

FAQ 23: Do Covered Entities that Do Not Qualify for an Exemption Need to Implement MFA for External-Facing Information Systems, Including Public Websites and Applications?

MFA is generally not required for public websites, but is required where the system allows access to other information systems or poses a material cybersecurity risk. The Department recommends covered entities document these determinations and ensure any decision not to implement MFA does not conflict with other Part 500 requirements.

The above is a revised answer from the initial posting of the FAQ. The original, longer FAQ listed criteria that a CISO should consider before determining that MFA is not required for public websites. The revised FAQ flips this approach, and instead lists circumstances where a public website might require MFA.

Takeaways

These FAQs signal that NYDFS is taking an increasingly granular approach to MFA compliance and expects covered entities to do the same. Given the Department’s history of enforcement in this area, covered entities should continue to monitor these developments closely.

NYDFS will host a webinar, DFS Presents - Let’s Talk MFA, on Thursday, February 26, 2026, from noon to 1 p.m. (Eastern) to discuss MFA requirements under Part 500.

Autoren

verwandte Beratungsfelder und Industrien

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe

Follow us

© 2026 Mayer Brown. All Rights Reserved

 

 

Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong LLC (“PKW”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong Pte. Ltd. More information about the individual Mayer Brown Practices and PKW can be found in the Legal Notices section of our website.

“Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.

Attorney Advertising. Prior results do not guarantee a similar outcome.