Why NYDFS Compliance is Critical for Financial Institutions
Many financial institutions must comply with impending New York Department of Financial Services (NYDFS) regulations for protecting customer data or face fines for noncompliance. The mandate calls for the use of highly effective multi-factor authentication (MFA) to protect worker identity, but translating the guidelines into a clear plan of action takes some work.
Nor does satisfying NYDFS mandates necessarily mean you’ll be compliant with Federal regulations for risk-based high-assurance MFA like NIST 800-63 and 800-171 standards for phishing resistance. To help tease out a clear strategy, this post will quickly overview what each rule means in practice and how you can devise a strategy that satisfies these and other changing rules and regulations right now – before the NYDFS rules take effect – and into the future.
What you will learn:
- What are the NYDFS MFA requirements
- Why phishing-resistant MFA is the only MFA that can meet NYDFS security objectives
- How Octopus extends phishing-resistant MFA for NYDFS requirement of “any individual accessing any information system”
What is NYDFS 23 NYCRR Part 500?
NYDFS is the state entity responsible for regulating banks, insurance companies, mortgage lenders, and other financial services providers. The NYCRR Part 500 is a set of regulations from the NYDFS that establish comprehensive cybersecurity requirements for covered financial institutions doing business in the state. NYCRR 500 was first issued in March 2017 and is designed to protect New York’s financial services industry and its consumers against cyberattacks and data breaches.
In 2023, NYDFS announced significant amendments to the regulation (23 NYCRR 500), including heightened requirements for MFA implementation with a compliance timeline for November 2025.
Understanding NYDFS MFA Requirements
NYDFS 23 NYCRR Part 500 sets a high bar for multi-factor authentication (MFA) coverage and security effectiveness to safeguard customer data, and ensure financial stability for the state of New York. The exact language of section 12 reads as follows:
Key Takeaways from Section 500.12 Multi-Factor Authentication
(a) Multi-factor authentication shall be utilized for any individual accessing any information systems of a covered entity, unless the covered entity qualifies for a limited exemption pursuant to section 500.19(a) of this Part in which case multi-factor authentication shall be utilized for:
- remote access to the covered entity’s information systems;
- remote access to third-party applications, including but not limited to those that are cloud based, from which non-public information is accessible; and
- all privileged accounts other than service accounts that prohibit interactive login.
Translation:
MFA is required for everyone accessing everything (if you are a big company). Even if your company qualifies for exemptions listed in section 19 (e.g., small company), you still must implement MFA for these targeted accesses:
- Every remote access to company systems
- Third-party cloud apps that hold controlled data
- All admin access to all systems
Does Your MFA Meet NYDFS Requirements?
As we said earlier, NYCRR calls for MFA, but doesn’t give detailed guidance on how exactly to implement a solution. However, NYDFS states in the second paragraph of NYCRR that the controls must incorporate “relevant risks and keep pace with technological advances.”
Then, in the document Guidance on Multi-Factor Authentication, NYDFS expands on the challenges covered entities should consider given the fact that “Not all Forms of MFA are Equal.”
Does MFA need to be phishing-resistant?
Phishing-resistant MFA is the gold standard for high-assurance MFA. Because of the risks and the scale of impacts these financial institutions face, only phishing-resistant MFA can satisfy the mandate’s security objectives. While the NYDFS guidance document was written before “phishing-resistant MFA” was first called for by the US Presidential Memorandum M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” the NYDFS MFA guide clearly aligns with phishing resistance objectives:
Phishing- resistant MFA | Traditional MFA | |
Impersonation resistant | ✓ | ❌ |
Replay resistant | ✓ | ❌ |
Social engineering resistant | ✓ | ❌ |
Man-in-the-middle resistant | ✓ | ❌ |
Lost/Theft reuse resistant | ✓ | ❌ |
Challenges in Implementing Phishing-Resistant MFA
Most phishing-resistant technologies, including those based on FIDO standards, only work with modern SaaS apps. Although financial institutions utilize SaaS for office worker productivity and HR management tools, essential remote network services and backend operations that access the most sensitive data don’t work with FIDO so easily.
Octopus passwordless authentication changes the game by extending phishing-resistant MFA methods to everything in the enterprise, including password-based apps and network services, out-of-the-box. Because Octopus is compatible with existing password-based infrastructure, it fulfills 23 NYCRR 500 stringent MFA requirements quickly without requiring a redesign.
Ensuring Your MFA Meets Compliance Standards
NIST 800-63, Digital Identity Guidelines, is the best source for categorizing different types of MFA and explaining at what risk levels each type of MFA should be used. In this NIST guide, three categories of authentication assurance levels (AAL) are modeled based on risk analysis of six categories to be scored low, med, or high impact in the event of an authentication failure.
Low | Med | High | |
Reputation | ✔ | ||
Financial loss | ✔ | ||
Public interest | ✔ | ||
Data loss | ✔ | ||
Safety | ✔ | ✔ | |
Criminal violation | ✔ |
The NIST guide states that if any of the six categories is rated as ‘high impact’ or ‘safety’ is rated as medium, AAL3 types of authenticators are required.
AAL1 | AAL2 | AAL3 | |
Impact rating | None or Low | Medium | High |
Authenticator type required | Password, SMS/email OTP | Mobile push MFAOTP hardware token | Phishing-resistant MFA |
For NYDFS-regulated entities, five of the six categories (minus safety) play a significant role in determining which level of AAL compliance businesses must implement.
How NIST 800-63 Relates to NYDFS MFA
Although the NIST 800-63 was written for US government entities, it carries over to regulated critical infrastructure industries, including financial sectors, through NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
This NIST guide creates the gold standard for industry best practices worldwide.
Octopus extends phishing-resistant MFA to everything in the enterprise
FIDO is great because it’s phishing-resistant, affordable, and simple to use. But FIDO doesn’t go everywhere, at least not on its own. FIDO, by itself, only works with modern web apps, as the name of its defining protocol, WebAuth, implies.
For financial enterprises, FIDO can be more easily adopted for logging into Windows machines and Microsoft Entra and other vendors’ single sign-on (SSO) compatible applications. But, FIDO doesn’t work with remote networking services like radius VPN, VDI, RDP, and others used at many organizations.
FIDO also does not work with all the custom, legacy, and on-premises password-based apps that drive financial enterprises’ business operations.
Octopus bridges the gaps left by FIDO and other ‘partial passwordless’ solutions with a suite of phishing-resistant MFA methods that works with everything in the enterprise, including password-based apps and network services. In addition to extending FIDO device-bound passkeys to everything in the enterprise, Octopus also has an industry-first phishing-resistant mobile push that meets NIST AAL3 requirements. Supporting phishing-resistant push may make more sense for some workflows than issuing hardware authenticators.
Phishing-Resistant Mobile Push Authentication
Octopus Desktop-to-app pinning mobile push leverages keypair channel binding, similar to how mobile push works with FIDO. Then, Octopus uses BLE and biometrics to satisfy NIST’s AAL3 phishing resistance requirements by verifying that the user, computer, and authenticator are all in close proximity.
How Secret Double Octopus Works
The Octopus Authentication Platform is built around a patented capability known as Invisible Secret Rotation. The platform replaces the user Directory password entry with a machine-generated token that the Octopus platform manages and rotates. The user never knows that token exists, or when it gets rotated.
Instead of passwords, users authenticate to Octopus using stronger passwordless mechanisms, like FIDO2 tokens, X.509 smartcards, or Octopus push. Once the user has passed the high assurance authentication, the Octopus orchestrates access to user desktops and acts as a passwordless IDP to SSO and password-based apps in the backend.
MFA Compliance Without Infrastructure Overhaul
The Octopus machine-generated token approach is compatible with your existing password-based infrastructure. No heavy lift is required to replace, reconfigure, or recode existing apps or identity infrastructures. That means you can comply with NYDFS in weeks instead of years with less effort and at a lower cost.
Achieve NYDFS MFA Compliance with Secret Double Octopus
Let us show you how the Octopus delivers a secure, fast path to phishing-resistant authentication that meets NYCRR 500 MFA requirements before the deadline passes and regulators start issuing fines.