Back to Resources
SecurityJanuary 18, 202410 min read

Multi-Factor Authentication: Meeting NY DFS 500.12 Requirements

MFA is now required for all remote access. Here's how to implement it effectively and stay compliant.

Section 500.12 of NY DFS 23 NYCRR 500 requires covered entities to implement multi-factor authentication (MFA) for accessing internal systems remotely and for privileged access. The 2023 amendments strengthened these requirements significantly.

What Does Section 500.12 Require?

Under the current regulation, MFA is required for:

  • Remote access to internal networks and systems from any external network
  • Privileged accounts including administrators, IT staff, and anyone with elevated access
  • Third-party access to any systems containing nonpublic information
  • Web-based applications that access nonpublic information

2023 Amendment Changes

The November 2023 amendments expanded MFA requirements significantly. MFA is now required for all remote access, not just access to internal networks. This includes cloud services, SaaS applications, and any system that processes nonpublic information.

What Qualifies as MFA?

Multi-factor authentication requires at least two of the following factors:

Something You Know

Password, PIN, security questions

Something You Have

Phone, hardware token, smart card

Something You Are

Fingerprint, facial recognition, voice

Acceptable MFA Methods

Not all MFA methods provide equal security. Here's a breakdown:

Recommended Methods

  • Hardware security keys (FIDO2/WebAuthn) - Most secure option
  • Authenticator apps (Microsoft Authenticator, Google Authenticator) - Strong and practical
  • Push notifications - Convenient with good security

Acceptable but Less Secure

  • SMS-based codes - Vulnerable to SIM swapping but still acceptable
  • Email-based codes - Only if email itself is protected by MFA

Implementation Strategy

Follow these steps to implement MFA across your organization:

  1. Inventory your systems - Identify all systems requiring MFA protection
  2. Choose your MFA solution - Consider Microsoft 365, Okta, Duo, or similar platforms
  3. Start with privileged users - Implement MFA for admins and IT staff first
  4. Roll out to all users - Expand to all employees accessing systems remotely
  5. Address third-party access - Ensure vendors and contractors use MFA
  6. Train your users - Provide clear instructions and support
  7. Monitor and enforce - Track MFA adoption and enforce compliance

Common Challenges and Solutions

User Resistance

Some employees may resist MFA as inconvenient. Address this by explaining the security benefits, providing training, and choosing user-friendly methods like push notifications.

Legacy Systems

Older systems may not support modern MFA. Consider using a VPN or identity proxy that adds MFA in front of legacy applications.

Lost Devices

Have a recovery process in place for when users lose their MFA devices. This should include identity verification before resetting MFA.

Buffalo Sentinel MFA Tracking

Our platform monitors MFA enrollment status across your organization and integrates with Microsoft 365, Okta, and other identity providers to provide real-time compliance visibility.

Documentation Requirements

For compliance purposes, maintain records of:

  • MFA enrollment status for all users
  • Systems protected by MFA
  • MFA method used (app, hardware key, etc.)
  • Any exceptions and compensating controls

Track Your MFA Compliance

Buffalo Sentinel integrates with your identity provider to track MFA enrollment and generate compliance reports.

Start Free Trial