21
Comment: Commenters requested that DFS clarify whether MFA is required in a variety of fact patterns,
such as when users access a covered entity’s: (1) internal information systems from the covered entity’s office;
or (2) internal or external information systems from their mobile devices if the mobile device had specific
software, hardware, certificates, or possession tokens.
Response: Section 500.12(a) requires MFA to be used for any individual accessing any information systems
of a covered entity, regardless of location, type of user, and type of information contained on the information
system being accessed, with few exceptions. It may be acceptable, in some circumstances, depending on a covered
entity’s specific cybersecurity risks, to use a device, such as an office workstation, mobile phone, or laptop, as
one of the authentication factors required for MFA, especially if, for example, the device contains biometric
capabilities or authenticator applications.
Therefore, the Department did not make any changes in light of these comments.
Comment: Commenters requested that DFS clarify whether a possession factor and either a knowledge factor
or an inherence factor would satisfy the MFA requirements in § 500.12.
Response: Section 500.1(i) already defines MFA to mean authentication through verification of at least two
of the three types of authentication factors listed, which are knowledge, possession, and inherence factors.
Therefore, the Department did not make any changes in light of this comment.
Comment: Commenters requested that DFS clarify whether MFA is required when: (1) users are not
accessing information systems that contain nonpublic information; (2) a user accesses a public facing website; or
(3) a customer logs into a covered entity’s online portal.
Response: Pursuant to § 500.12, covered entities must require users to provide multiple forms of
authorization to access any of the covered entity’s information systems, regardless of the type of information
maintained on such systems. MFA generally is not required for visits to a covered entity’s public facing website
because visits to public facing websites do not require access to a covered entity’s information systems. However,