NYC500 Requires Multi-Factor Authentication

by Adam Abresch | Mar 07, 2017 | Cyber | 0 Comments

Your password is your kid's name. 

Your password is your spouse's name followed by your wedding date.

Your password is your favorite sports team.

Your password needs to change. What started as "a combination of alpha numeric characters" progressed to "at least 8 alpha numeric characters" and grew to "at least 8 alpha numeric and 1 special character !@#$".

No more. The age of the Multi-Factor Authentication is here. 

What is Multi-Factor Authentication? Let’s break it down.

Authentication is either:

  • Something you know (like a password or PIN)
  • Something you have (like your cellphone or ATM card)
  • Something you are (i.e. fingerprint or retina (scan))

Multi means more than one.

Therefore: Something you have + something you know = 2 factor or Multi-Factor Authentication.


Why do I need Multi-Factor Authentication?

In addition to being required by the NYC500 regulations, Multi-Factor Authentication is an effective control that protects against unauthorized access to Nonpublic Information and Information Systems.

One of the most common causes of a data breach is compromised credentials. Multi-Factor Authentication adds a vital layer of security that guards against this type of breach.

Who needs to use Multi-Factor Authentication?

According to the NYC500, it is not enough that Covered Entities implement Multi-Factor Authentication within their own user network, they must also ensure that any individual accessing the Covered Entity’s internal systems from an external network utilize Multi-Factor Authentication as well.

The only exception to this Third Party Service Provider (3PSP) requirement is if the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls with regard to the 3PSP in question.

Okay, I get it. Now how do I set up Multi-Factor Authentication?

  1. Determine what Nonpublic Information is contained on your Information Systems:
  • Bank accounts?
  • Employee Information?
  • Health Information?
  • Sensitive client information?
  • Emails?
  • Financial Records?
  • Sensitive corporate information?
  • Other?
  1. Determine where this information is located across your networks:
  • On premises?
  • In the cloud?
  • On laptops/mobile devices?
  • Elsewhere?
  1. Determine what users have access to this information and where they are located:
  • Employees?
  • Clients/customers?
  • Third party Vendors?
  • Others?
  1. Determine what type of Multi-Factor Authentication best fits your organization’s needs:
  • Password + Pin?
  • Password +SMS Text?
  • Password + Mobile App Notification?
  • Password + Phone Call?
  • Others?
  1. Deploy and implement Multi-Factor Authentication across necessary networks, platforms and devices:
  • Cloud
  • Employee Portals
  • Client Portals
  • Laptops/Mobile Devices
  • On premise computers, servers etc.
  • Emails
  • Others?
6. Constantly monitor Multi-Factor Authentication reports

In order to ensure effectiveness, your organization must constantly monitor the status of your Multi-Factor Authentication. Determining whether MFA is enabled or disabled across Information Systems may require using an application programming interface with reporting capabilities.

7. Continually update Multi-Factor Authentication to adapt to constantly evolving threats

Cyber criminals are constantly devising new ways to compromise Multi-Factor Authentication systems. So an MFA that is safe today, may be ripe for exploitation tomorrow. With this in mind, it is crucial to constantly update Multi-Factor Authentication configurations in order to ensure that MFA is truly protecting against unauthorized access to Nonpublic Information and Information Systems.     


Attackers often infiltrate organizations by compromising end-users credentials, making password compromise one of the leading causes of data breaches.

These credentials are then used by attackers to access an organization’s Information Systems and harvest sensitive Nonpublic Information. Establishing enterprise-wide Multi-Factor Authentication serves as an effective measure for mitigating data breaches due to password compromise.

In order to ensure compliance with the NYC500 guidelines Covered Entities must ensure that they use effective controls, such as Multi-Factor Authentication, to protect against the unauthorized access to Nonpublic Information and Information Systems.