Constangy Cyber Advisor 

The New York State Department of Financial Services recently published additional Frequently Asked Questions addressing compliance and providing clarity regarding the enhanced multi-factor authentication requirements in the Amended Cybersecurity Regulation. The enhanced requirements took effect in November for all entities subject to NYDFS regulation.

Covered Entities still struggling with a well-implemented multi-factor authentication program may find the additional FAQs helpful in ensuring that their cybersecurity programs are compliant and systems are secure.  

The FAQs are available here (scroll down to Section 500.12, FAQs 18-23). The following is a summary:

FAQs 18-19

Multi-factor authentication, better known as MFA, means the use of two or more types of verification to confirm a user’s identity before granting access to an information system. The New York regulation does not mandate the use of any specific type of MFA. However, it must consist of at least two of these three “KPI” characteristics: Knowledge, Possession, or Inherence.

• Knowledge is something one knows, like a password or personal identification number.
• Possession is something one has such as a physical key, a mobile authenticator app (like DUO or Microsoft Authenticator), or smart card. A smart card is a physical card with an integrated chip that securely stores and processes data and can be used for authentication purposes.
• Inherence means something unique to the person, such as a fingerprint or facial recognition.

Examples of successful MFA protocols could be a combination of PIN (Knowledge) and Mobile Authenticator (Possession), or of Physical Key (Possession) and Fingerprint (Inherence). However, compliance officers should be wary of “auto-fill” and the like as “something one has.” Mere storage of information without cryptographic proof of possession or reliance on device recognition, that is policy-based, or that relies on software-stored certificates, does not qualify as Possession because these measures can be bypassed with ease.  

FAQ 20

With the permissibility of push-based applications, comes a risk of “MFA fatigue.” Push-based applications send automatic updates or notifications to a user’s device to keep the user informed and engaged. MFA fatigue is a social engineering cyberattack strategy that involves repeatedly pushing MFA requests to a victim’s email, phone, or registered devices. The goal is to coerce the victim into confirming their identity. Thus, MFA fatigue can occur when users accidentally approve an MFA prompt, making the network vulnerable to cyberattacks.

FAQ 20 suggests that Covered Entities enable number matching (where the user inputs the number displayed on their device to authenticate) or challenge-response verification (where the user must provide the answer to a question as part of the authentication process); display contextual login details (that is, location access), or limit the number of push retries and enforce adaptive MFA for suspicious activity. Adaptive MFA evaluates the context of each login attempt. This means that each login attempt would be based on user behavior, historical login patterns, device status and registration, or geolocation and IP address. Unfortunately, adaptive MFA, if necessary, would incorporate the use of Artificial Intelligence into private systems, which could create its own set of concerns for Covered Entities.

FAQ 21

Single Sign On services can also create concerns. SSOs expand access by allowing users to reach multiple systems with only one set of credentials. These services are popular because they are convenient, providing a streamlined user experience. Nevertheless, SSOs in isolation do not meet the regulatory requirements. Multi-factor authentication must be enforced in conjunction with the user’s login to the SSO system.

However, the regulation does not require individuals to use MFA each time the SSO system shares the authentication token with the systems and applications included in the system coverage. The expectation is that MFA enforcement is centrally managed and applies equally to all systems and cannot be bypassed by legacy logins or connections that bypass SSO controls.

FAQ 22

Email and document hosting platforms are included in this FAQ. Cloud service providers are a part of Information Systems if they store, process, or transmit non-public, private information. Cloud-based email and other document hosting platforms must use MFA or a reasonably equivalent or more secure control if approved by a Chief Information Security Officer. CISO approval must be provided in writing and reviewed annually.

FAQ 23

This FAQ addresses MFA requirements for external-facing systems for Covered Entities. Generally, external-facing systems do not require MFA. However, MFA may become required if the information systems allow unauthenticated access to the entity’s additional systems or if the information system otherwise poses a material cybersecurity risk to the entity, its customers, other information systems, or non-public Information. It is up to the entity to document these potential risks and exercise “best judgment.” Ultimately, the CISO must ensure that these risks do not conflict with other requirements under the regulation.

Conclusion

Multi-factor authentication remains one of the most widely recommended methods of securing an entity’s information systems. It can significantly reduce, although not eliminate, the risk of access to a network from an unauthorized actor. Covered Entities should review the new FAQs in their entirety and ensure that their systems are in compliance.  

The Constangy Cybersecurity & Data Privacy Team regularly counsels businesses of all sizes and industries on how to comply with the growing number of data privacy laws and regulations. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.