Two months after the New York Department of Financial Services (“NYDFS”) updated its Frequently Asked Questions (“FAQs”), which we wrote about here, NYDFS has released updated FAQs on multifactor authentication (“MFA”) that further clarify 23 NYCRR § 500.12. As we previously reported, the FAQs from December 2025 provided prescriptive guidance, including clarifications on technical requirements for the “possession” factor and risks associated with push-based authentication methods, and MFA for external-facing websites. The newly revised FAQs suggest NYDFS is continuing to refine and clarify its expectations related to MFA. Below, we provide a summary of the key differences introduced by the newly revised FAQs.
FAQs 18 & 19
In the December 2025 FAQs, NYDFS stated that the “possession” factor (that is, something you have) based solely on device recognition, policy-based controls, or software-stored certificates does not constitute reasonable evidence of possession. NYDFS explained that these approaches can be easily copied or bypassed and are therefore insufficient on their own to satisfy the MFA requirements under Section 500.12(a).
The revised FAQs clarify that these mechanisms may be acceptable under Section 500.12(a) where they rely on cryptographic proof of possession. In practice, this generally refers to authentication methods that are cryptographically bound to a specific device—often leveraging hardware-backed key storage, secure enclaves, or similar device-level protections—such that the credential cannot be exported or reused on another device.
Separately, weaker policy-based controls may qualify as a reasonable equivalent of more secure compensating controls under Section 500.12(b) when implemented in combination with other security controls.
FAQ 20
The December 2025 FAQ stated that covered entities may use push-based applications to satisfy the “something you have” possession factor under Section 500.12(a), but only if implemented securely.
The revised FAQ reiterates this position and further emphasizes that covered entities should deploy push-based authentication with appropriate safeguards to ensure the applications are used securely. Practically, this may include measures such as number matching, biometric or PIN verification prior to approving a push, rate limiting or monitoring for push fatigue attacks, and controls that prevent push approvals from being replayed or automatically accepted. The clarification reinforces NYDFS’s emphasis on attack techniques that exploit poorly configured push-based MFA.
FAQ 23
The December 2025 FAQ stated that, as a baseline requirement, covered entities that do not qualify for an exemption under Section 500.12 must implement MFA for every external-facing information system—including public websites and applications. Where a covered entity elected not to implement MFA, the CISO was required to formally document that the system (1) did not contain nonpublic information (“NPI”); (2) did not allow unauthenticated access to other internal information systems; and (3) did not pose material cybersecurity risk to the entity, its customers, other systems, or NPI.
The revised FAQ clarifies that covered entities generally will not be required to implement MFA for most public websites, provided that the website does not contain NPI, allow unauthenticated access to other internal information systems, or pose material cybersecurity risk to the entity, its customers, other systems, or NPI. Rather than framing the analysis as a set of conditions that must be affirmatively satisfied to forgo MFA, the revised FAQ identifies specific circumstances under which MFA would be required for public‑facing websites. NYDFS also suggests that covered entities document their determinations and associated risk factors.
NYDFS’s revisions to the FAQs appear to signal an ongoing effort to refine and clarify its MFA requirements under 23 NYCRR Part 500. Covered entities should carefully review the revised FAQs in light of their existing MFA implementations and compensating controls, and assess whether any updates to policies, procedures, or technical safeguards are warranted to align with NYDFS’s evolving expectations.
