The concept of a multifactor authentication (MFA) risk assessment has recently become a topic of conversation in the information security community. Perhaps these discussions around an MFA risk assessment have led you to ask, "Am I required to perform an MFA risk assessment?"
The short answer is: No, this is not a requirement.
The long answer requires us to look more closely at what MFA is and how regulators have addressed it through guidance.
What do the regulators say?
On June 29, 2011, the Federal Financial Institutions Examination Council (FFIEC) published the Supplement to Authentication in an Internet Banking Environment.
The guidance states:
"Financial institutions should perform periodic risk assessments and adjust their customer authentication controls as appropriate in response to new threats to customers' online accounts." (Page 3)
"Financial institutions should implement layered security, as described herein, utilizing controls consistent with the increased level of risk for covered business transactions. Additionally, the Agencies recommend that institutions offer multifactor authentication to their business customers." (Page 4)
On March 1, 2017 the New York Department of Financial Services (NYDFS) 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies went into effect. Part 500.12(a) of the regulation reads:
"Multi-Factor Authentication. Based on its Risk Assessment, each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems."
How can these writings be interpreted?
Since the release of the NYDFS Part 500.12(a), certain service organizations have used this regulation and the FFIEC's guidance to support the claim that financial institutions are required to perform a MFA risk assessment in order to be in compliance.
However, you may have noticed something different when reading the quotes above. MFA is only mentioned as a potential effective control, not something to be risk assessed.
What is a control?
Within the context of information security, a control is an administrative, technical, or physical means of security put in place to reduce the likelihood of a threat occurring and/or the potential damage if it were to occur. This likelihood and potential damage together are known as "risk." Threats of concern are those which could result in the unauthorized disclosure, misuse, alteration, or destruction of organization or customer data.
MFA is a technical control which requires authorized users to provide two or more factors to verify their identity. Factors include something you know (e.g., a password), something you have (e.g., a token), and something you are (e.g., a fingerprint). MFA can be implemented to prevent threats from being effective. Potentially mitigated threats include keyloggers, malware, phishing, or other forms of social engineering.
MFA is one of many technical controls which can be implemented, then documented in an information security risk assessment. Other technical controls include things like device identification, encryption, transaction limits, two-way authentication, etc.
It is neither common nor suggested that risk assessments be conducted over technical controls. With this in mind, instead of asking if you are required to perform a MFA risk assessment, a better question to ask would be, "How can I build MFA into my existing risk assessments?"
How can you build MFA into your existing risk assessments?
Since MFA is a control recommended by guidance and regulation, you should both implement and document use of this control. Furthermore, you should have confidence in its ability to reduce the risk of threats included in your existing risk assessments.
Your information security policies should also define which systems require MFA (e.g., electronic banking, remote deposit capture, wire transfer and ACH, etc.), and your procedures should detail the technical specifications regarding your MFA configuration.
Additionally, as a technical control, your auditors should be routinely checking to confirm MFA is working as expected. Their testing should include a review of systems using MFA which store, process, or transmit sensitive organization and customer data.
Does CoNetrix have anything that can help with building multifactor authentication into my information security program?
Yes. The Tandem Risk Assessment, Internet Banking Security, and Policies software modules include template content, designed with multifactor authentication (and other important technical controls) in mind. Additionally, the Tandem Audit Management software allows users to document the methods used to verify controls are effective and connect the results of testing to the Tandem Risk Assessment software module. With integration between the modules, you will improve communication and understanding of your information security program.