The concept of a multifactor authentication (MFA) risk assessment has recently become a topic of conversation in the information security community. Perhaps these discussions around an MFA risk assessment have led you to ask, "Am I required to perform an MFA risk assessment?"

The short answer is: No, this is not a requirement.

The long answer requires us to look more closely at what MFA is and how regulators have addressed it through guidance.

Where did this idea originate?

The origins of this concept most likely stem from the 2011 Federal Financial Institutions Examination Council (FFIEC) guidance titled Supplement to Authentication in an Internet Banking Environment.

The guidance stated:

"Financial institutions should perform periodic risk assessments and adjust their customer authentication controls as appropriate in response to new threats to customers' online accounts." (Page 3)

"Financial institutions should implement layered security, as described herein, utilizing controls consistent with the increased level of risk for covered business transactions. Additionally, the Agencies recommend that institutions offer multifactor authentication to their business customers." (Page 4)

Additionally, on March 1, 2017 the New York Department of Financial Services (NYDFS) 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies went into effect. Part 500.12(a) of the regulation reads:

"Multi-Factor Authentication. Based on its Risk Assessment, each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems."

Since these references conflated the idea of performing a risk assessment with MFA, these references have been used to support the claim that financial institutions are required to perform a MFA risk assessment in order to be in compliance.

However, you may have noticed something different when reading the quotes above. MFA is only mentioned as a potential effective control, not something to be risk assessed.

What does current guidance require?

Today, the most authoritative source on MFA is the FFIEC 2021 guidance on Authentication and Access to Financial Institution Services and Systems. The guidance states:

"When a risk assessment indicates that single-factor authentication with layered security is inadequate, multi-factor authentication (MFA) or controls of equivalent strength, combined with other layered security controls, can more effectively mitigate risks associated with authentication."

This guidance provides the clearest picture of MFA and its relationship to a risk assessment: MFA is a control, and it can be used to reduce authentication risks.

What is a control?

Within the context of information security, a control is an administrative, technical, or physical means of security put in place to reduce the likelihood of a threat occurring and/or the potential damage if it were to occur. This likelihood and potential damage together are known as "risk." Threats of concern are those which could result in the unauthorized disclosure, misuse, alteration, or destruction of organization or customer data.

How is MFA a control?

MFA is a technical control which requires authorized users to provide two or more factors to verify their identity. Common factors include:

  • Something you know (e.g., a password)
  • Something you have (e.g., a token)
  • Something you are (e.g., a fingerprint)

MFA can be implemented to prevent threats from being effective. Potentially mitigated threats include keyloggers, malware, phishing, or other forms of social engineering.

MFA is one of many technical controls which can be implemented, then documented in an information security risk assessment. Other common technical controls include things like encryption or access controls.

It is neither common nor suggested that risk assessments be conducted over technical controls. With this in mind, instead of asking if you are required to perform a MFA risk assessment, a better question to ask would be, "How can I build MFA into my existing risk assessments?"

How can you build MFA into your existing risk assessments?

Since MFA is a control recommended by guidance and regulation, you should both implement and document use of this control. Furthermore, you should have confidence in its ability to reduce the risk of threats included in your existing risk assessments.

Your information security policies should define which high-risk users (e.g., administrators, customers, etc.) and high-risk systems (e.g., electronic banking, remote access, cloud-based services, etc.) require MFA. Your procedures should detail the technical specifications regarding your MFA configuration.

Additionally, as a technical control, your auditors should be routinely checking to confirm MFA is working as expected. Their testing should include a review of systems using MFA which store, process, or transmit sensitive organization and customer data.

Does Tandem have anything which can help with building MFA into my information security program?

Yes. The Tandem Risk Assessment, Internet Banking Security, and Policies products include template content, designed with multifactor authentication (and other important technical controls) in mind. Additionally, the Tandem Audit Management software allows users to document the methods used to verify controls are effective and connect the results of testing to Tandem Risk Assessment. With integrations among the products, managing the MFA elements of your information security program has never been easier. Learn more about Tandem at Tandem.App.

Update Log:

  • 08/29/2022 - Changes were made related to the FFIEC's updated authentication guidance.