The New York State Department of Financial Services (NYDFS) on Tuesday outlined common vulnerabilities in multi-factor authentication (MFA) and how to address them from a cybersecurity risk management standpoint.

Although MFA is an “essential part of cybersecurity hygiene,” the NYDFS stated in new guidance, “… MFA weaknesses are the most common cybersecurity gap exploited at financial services companies.” Consequently, the NYDFS is “increasing its review of MFA during examinations, with a particular emphasis on probing for the common MFA failures discussed in this guidance.”

Covered entities should carefully consider the importance of MFA as they implement a risk-based cybersecurity program. The NYDFS’s Cybersecurity Regulation requires MFA for remote access and to be implemented beyond that, when necessary, to ensure effective access controls based on a comprehensive risk assessment.

“Given the high and growing level of risk posed by a lack of MFA, covered entities should ensure that MFA is implemented effectively, and that MFA is used wherever it is needed to manage the risk of unauthorized access,” the NYDFS stated.

Common MFA vulnerabilities

Gaps in MFA were cited by approximately 64 percent of covered entities that reported a cybersecurity event to the NYDFS from January 2020 to July 2021. “In some cases, MFA was completely absent; in others, it was not enabled, misconfigured, only partially implemented, or pending implementation,” the regulator stated.

Many cyber incidents reported to the NYDFS involve violations of the Cybersecurity Regulation Section 500.12 requirement for MFA. The following are the most common reasons for such violations:

Legacy systems that don’t support MFA. The most exploited legacy system is Microsoft email services, according to the NYDFS. To prevent cybercriminals from exploiting a legacy system the covered entity did not realize was still active—a common occurrence—the regulator’s guidance recommends covered entities “maintain an up-to-date inventory of all IT assets and regularly decommission systems that are no longer needed.”

MFA for remote access fails to cover key applications. Many covered entities still have email or other applications that can be accessed without a VPN, according to the NYDFS. “Covered entities must therefore ensure that MFA is in place for remote access to all applications and systems, including those that can be accessed without authenticating through a VPN,” the regulator stated.

Lack of MFA for third parties. “Covered entities sometimes do not require third parties to use MFA when accessing their systems and the nonpublic information on them,” the NYDFS stated. “… The Department has seen a number of cyber incidents targeting these third-party portals and applications through phishing and credential stuffing. To prevent this type of unauthorized access, covered entities must require MFA or the use of reasonably equivalent or more secure access controls for all third parties accessing information systems with nonpublic information.”

Incomplete MFA setups or rollouts. “Granting remote access permissions and configuring MFA for users should be done with the direct oversight of one or more designated individuals,” the NYDFS stated. “The Department has seen several cyber incidents that occurred when attackers exploited MFA ‘self-setup’ to setup MFA controlled by the cybercriminal. Additionally, the Department has seen cyber incidents that occurred because MFA setup was left to the user, and some users never set up MFA.”

Incidents have also occurred “because of long gaps in MFA coverage during rollouts or transitions to new technology,” the NYDFS added. “… Covered entities should plan transitions to avoid gaps in MFA usage and implement compensating controls during temporary gaps.”

Poor exceptions management. Lack of a clear policy on exceptions, failure to enforce policies such as time limits on exceptions, and/or failure to track exceptions are common problems. “Exceptions to the MFA requirement should be granted sparingly, tracked, and last only as long as necessary,” the NYDFS stated.

C-suite exemptions, in which a senior member of the company refuses to use MFA, should also not be granted.

Other considerations

When implementing risk-based access controls, the NYDFS encourages covered entities to think about MFA related to all privileged accounts and consider the various types of MFA—such as token-based or push-based configurations—and the unique vulnerabilities associated with each.

“Covered entities should also test and validate the effectiveness of MFA implementation,” the NYDFS stated. “IT audits, penetration tests, and vulnerability scans should include verification of MFA control strength and identification of weaknesses or gaps in MFA as implemented and configured. Material weaknesses must be reported to the board.”