The Growing Need to Adopt Properly Implemented Multi-Factor Authentication to Accomplish Reasonable Data Security

MFA is a security control that requires system users to present a combination of two or more types of authenticators to verify their identity. The different types of authenticators are: (1) something the user knows (e.g., a password), and (2) something the user has (e.g., a cell phone or hardware key) or something the user is (e.g., the user’s biometrics).

Government enforcement agencies increasingly are focusing on MFA as one of the most important controls to protect information systems storing personal information. For example, the Federal Trade Commission (FTC) recently adopted regulations that require certain companies to utilize MFA with limited exceptions. The FTC’s updated Gramm-Leach Bliley Safeguard’s Rule, which goes into effect in June, requires covered financial institutions to institute MFA both when external uses, such as customers, and internal users, such as employees, access a system containing customer information. Moreover, the New York Department of Financial Services (NYDFS) has required MFA for financial services companies under its jurisdiction since 2017. Proposed amendments to its Cybersecurity Rule would require MFA for: (a) remote access to the covered entity’s information systems, (b) remote access to third-party applications, including those that are cloud based, from which nonpublic information is available, and (c) all privileged accounts. NYDFS’s proposed rule updates follow guidance on MFA that it issued in December 2021 characterizing MFA as “the most common cybersecurity gap exploited at financial services companies.”

In recent months, however, the FTC seems to be attempting to expand MFA requirements. First, two recent FTC consent orders involving entities that were not financial institutions have required MFA as part of a comprehensive information security program. Particularly, the FTC’s orders with Drizly and Chegg announced in October require MFA:

  • for all employees, contractors, and affiliates in order to access any assets (including databases) storing information from or about an individual consumer, including name, address, email, date of birth, or geolocation information sufficient to identify street and city name; and
  • for consumer users, requiring that any information collected from consumers at the time they select to use MFA only be used for authentication purposes.

Notably, the scope of consumer information that needs to be protected under the consent orders by MFA (with limited exceptions) is broader than the Safeguards Rule.

Second, although the FTC’s Safeguards Rule does not expressly require any specific form of MFA, the recent FTC settlements took aim at telephone and SMS-based MFA methods. Specifically, the Drizly and Chegg consent orders required that the MFA implemented for the companies’ employees, contractors and affiliates not include telephone or SMS-based authentication methods and must be resistant to phishing attacks.

The FTC is not the only agency amplifying its messages about MFA. Additional agency activity suggests that companies should carefully consider whether MFA relying on one-time passwords or SMS multifactor authentication, which works by sending a code to a user’s phone or email, provides adequate protection. For example, NYDFS’s guidance suggested that text message-based MFA is vulnerable to scams like SIM-swapping, which occurs when a scammer steals a victim’s phone number by switching the number from the victim’s device to a device controlled by a scammer – potentially allowing the scammer to steal MFA codes sent to the victim’s phone number. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance in October entitled “Implementing Phishing-Resistant MFA.” In its guidance, CISA asserted that some forms of MFA are vulnerable to phishing, “push bombing” attacks (in which scammers bombard a user with push notifications until the user presses the “Accept” button) and/or the SIM Swap attacks described above. Particularly, CISA discouraged the use of SMS or voice MFA, stating that “[t]his form of MFA should only be used as a last resort MFA option,” adding that “it can serve as a temporary solution while organizations transition to a stronger MFA implementation.” While expressing that “any form of MFA is better than no MFA and will reduce an organization’s attack surface,” CISA declared that “phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort.”

So what is “phishing-resistant MFA” being advanced by the agencies particularly for internal use? In its guidance, CISA stated that the “only widely available phishing-resistant authentication is FIDO/WebAuthn authentication.”  The FIDO Alliance originally developed the WebAuthn protocol as part of FIDO2 standards, and the World Wide Web Consortium now publishes it. Properly implementing FIDO/WebAuthn is beyond the scope of this post, but WebAuthn support is included in major browsers, operating systems, and smart phones. WebAuthn works with the related FIDO2 standard to provide a phishing-resistant authenticator, which can either be:

  • Separate physical tokens (called “roaming” authenticators) connected to a device via USB or near-field comms (NFC), or
  • Embedded into laptops or mobile devices as “platform” authenticators.

In addition to being “something that you have,” FIDO authentication can incorporate various other types of factors, such as biometrics or PIN codes. FIDO2-compliant tokens also are available from a variety of vendors.  CISA also stated that the use public key infrastructure (PKI)-based authentication, in which a user’s credentials are contained in a security chip on a smart card, may be a viable technology for more complex and mature organizations. Although the FTC has not provided detailed guidance on MFA options that it considers phishing resistant, there are other stronger MFA solutions worth considering.

In addition to favoring “phishing resistant” MFA methods, enforcement agencies have identified other MFA implementation best practices and common problems to avoid. For example, in its guidance, the NYDFS noted that companies have had certain prevalent issues in executing MFA, including:

  • Gaps in MFA coverage arising when entities use outmoded applications and systems that do not support MFA;
  • Scenarios in which entities implementing some MFA solutions have email or other applications that can be accessed without VPN access;
  • Situations in which entities do not require third parties to use MFA when accessing an entity’s system containing nonpublic information; or
  • Where entities may grant too many exceptions to its MFA policy.

The FTC’s recent settlements and other agency guidance seems to be squarely aimed at amplifying MFA as an authentication control necessary for companies to reasonably secure information systems that possess personal information. As more companies implement MFA, the failure to adopt the control may become out of step with the industry standard of care, so now is likely the time to consider thoughtful implementation of MFA.