CISOs and IAM leaders in financial services are dealing with a simple reality: attackers don’t need to “hack” anything if they can steal or break/crack credentials. User managed secrets remain the primary attack surface – especially where passwords, OTPs, and inconsistent MFA coverage exist across workforce, third parties, and legacy systems.
Last week, NYDFS hosted a webinar titled “DFS Presents – Let’s Talk MFA” to clarify the latest MFA expectations under Part 500 and help covered entities plan for compliance. That alone should be a wake-up call for financial organizations with gaps – especially where legacy access paths and remote/admin systems still rely on weak credentials or single-factor controls. But NYDFS is only one part of the picture: FFIEC, NCUA, PCI DSS 4.x, NIST’s digital identity framework, and FINRA oversight practices are all pushing the industry toward broader MFA coverage, tighter exception governance, and higher-assurance (phishing-resistant) authentication.
The obvious answer is to standardize on universal, phishing-resistant authentication – but regulators and industry bodies don’t always define “phishing-resistant” in the same way. What’s consistent is the outcome they expect: reduce authentication risk, expand MFA coverage (including legacy access paths), minimize exceptions, and raise assurance for high-risk access.
The Cybersecurity & Infrastructure Security Agency (CISA) calls phishing-resistant MFA “the gold standard of MFA” and recommends escalating MFA gaps to senior leadership because they represent material risk.
| CISOs and IAM leaders’ takeaway: “We have MFA” isn’t a defensible position anymore. The new bar is coverage + method strength + proof. |
This post breaks down six widely referenced regulations/guidelines and translates them into a pragmatic IAM program.
1) NYDFS 23 NYCRR 500: MFA with enforcement pressure
If you’re a NYDFS “Covered Entity,” MFA is not optional window dressing. Section 500.12 requires MFA for any individual accessing any information systems, with limited exemption logic. In 2025 NYDFS published additional material explaining enhanced MFA expectations tied to the amended Part 500 requirements timeline.
CISOs and IAM leaders takeaway
- Workforce and third-party access: MFA by default
- Privileged access: higher assurance and tighter exception management
- Evidence: be able to demonstrate enforcement and gaps
2) FFIEC guidance: risk-based authentication and “equivalent strength”
FFIEC’s interagency guidance frames authentication as an enterprise risk management discipline across employees, customers, and third parties, emphasizing layered controls and governance.
CISOs and IAM leaders takeaway
- MFA for high-risk access and transactions
- Stronger methods where phishing risk is highest
- Documented rationale when you choose an “equivalent strength” control
3) NCUA: credit-union focus on resilience and workforce controls
The National Credit Union Administration is often aligned with FFIEC expectations when it comes to MFA. It advises credit unions to use strong MFA methods and implement risk-based authentication.
CISOs and IAM leaders takeaway: For credit unions, questions are increasingly practical: “Where is MFA enforced, how is it monitored, and how quickly can you close gaps?”
4) PCI DSS 4.x: stronger authentication posture with fixed milestones
PCI DSS 4.x pushes organizations to mature authentication and access controls, expanding MFA requirements to include all accounts accessing cardholder data, not just administrators. It became mandatory March 31, 2025.
CISOs and IAM leaders takeaway: treat PCI authentication controls as a program with continuous evidence – not an annual scramble.
5) NIST SP 800-63: your best “defensible story” for assurance
NIST provides the cleanest baseline definition. In NIST SP 800-63B (Digital Identity Guidelines):
- AAL2 requires MFA and verifiers must offer at least one phishing-resistant option.
- AAL3 requires phishing-resistant authentication with a non-exportable key and stronger cryptographic requirements.
CISOs and IAM leaders takeaway: use NIST AAL2/AAL3 mapping to justify where you require phishing-resistant authentication (privileged, remote, admin, high-impact systems).
6) FINRA best practices: MFA as a baseline for firm systems and email
Though not a hard requirement, FINRA’s best practices call for MFA: “Use multi-factor authentication (MFA) for login access to the firm’s systems, including email and operational systems accessed by associated persons, firm staff, contractors and customers.”
CISOs and IAM leaders takeaway: Member firms are expected to treat MFA as foundational, not optional – especially for operational systems and identity-adjacent access.
A practical “do this now” checklist for financial institutions
1) Close MFA coverage gaps (especially legacy)
Auditors don’t care that a system is “legacy” – they care that it’s a control gap. Use compensating controls only when necessary, and document them.
2) Make exceptions expensive
Require a risk sign-off, expiry date, and a remediation plan for anything without strong MFA – CISA explicitly advises reporting risks related to partial MFA coverage to leadership.
3) Collect evidence continuously
Build reporting that answers:
- Who has MFA? Who doesn’t?
- Which systems enforce it? Which don’t?
- Which methods are allowed (and which are blocked)?
4) Don’t confuse “passwordless UX” with “passwordless security”
Common “passwordless” solutions still rely on passwords somewhere in the flow (fallbacks, recovery, protocol dependencies). To gain phishing-resistance you must remove shared secrets and adopt authenticators designed to resist credential replay and social engineering. See how ZeroPassword from Secret Double Octopus eliminates all passwords and replaces them with auto-rotating ephemeral tokens to achieve true phishing-resistance.