New York's Department of Financial Services (NYDFS) has made Multi-Factor Authentication (MFA) mandatory under its cybersecurity regulation, 23 NYCRR Part 500. Non-compliance can cost companies millions, not just in fines but in reputational damage.

If you're running a SaaS or fintech business operating in New York or serving clients who are, you can't afford to ignore this.

Let's break down what you need to know - and what to do next.

What Does the NYDFS Say About MFA?

Under Section 500.12 of the NYDFS Cybersecurity Regulation:

"Each Covered Entity shall use effective controls, which may include Multi-Factor Authentication (MFA)...to protect against unauthorized access to Nonpublic Information or Information Systems."

The 2023 amendments tightened the requirement.

Now, MFA is mandatory in three specific scenarios:

Remote access to internal networks.
Privileged access (e.g., admins, developers).
Third-party access to internal systems.

There are no more carve-outs or flexible interpretations. MFA is now a core control - not a suggestion.

Who Must Comply?

You're a "Covered Entity" if you're regulated by NYDFS. This includes:

State-chartered banks
Licensed lenders
Mortgage companies
Insurers
Money transmitters
Virtual currency businesses
Fintechs with BitLicenses

If you're a SaaS provider serving these entities, you must comply indirectly - your clients are liable if you introduce risk. Many will require proof of your MFA implementation in vendor due diligence.

NYDFS MFA Enforcement Is Serious

NYDFS has aggressively enforced MFA violations in the past few years.

Examples of penalties:

Company	Violation	Penalty
First American Title (2023)	Failed to secure NPI with MFA	$1.0 million
Robinhood Crypto (2022)	Inadequate MFA & incident response	$30 million
EyeMed Vision Care (2021)	MFA gaps led to PHI breach	$4.5 million

The most common issue? MFA not being enforced for email, cloud apps, and remote admin access.

NYDFS isn't waiting for a breach. If an audit finds gaps, you're at risk - even without an incident.

Most Common MFA Gaps Found During NYDFS Audits

If you're unsure whether you're compliant, start by checking these common failure points:

MFA not enforced for cloud admin accounts (e.g., AWS, Azure)
No MFA for remote VPN access
MFA not required for critical SaaS apps (e.g., Salesforce, GitHub, Office 365)
Shared accounts without device-bound MFA
Service accounts with no MFA policies
No process to review or revoke access
Third-party vendors logging into your environment without MFA

The Right Way to Implement MFA (For SaaS and Fintech)

Here's a simplified, practical MFA strategy that meets NYDFS expectations:

1. Identity Providers (IdPs)

Centralize identity and MFA through SSO/MFA-enabled IdPs:

Okta
Azure AD
Google Workspace (Enterprise tier)

Use policies to enforce MFA at login across all services.

2. MFA Methods That Work

Use phishing-resistant methods wherever possible:

FIDO2 keys (e.g., YubiKey)
Platform authenticators (TouchID, Windows Hello)
Authenticator apps (e.g., Duo, Microsoft Authenticator)

Avoid:

SMS (allowed but discouraged)
Email-based codes

3. Coverage Scope

Apply MFA to:

Email platforms
Admin consoles (cloud infra, SaaS apps)
Remote access (VPNs, RDP, SSH)
Code repositories
CI/CD pipelines
Endpoint management systems
Backup and recovery platforms

4. Automation and Enforcement

Use conditional access policies (e.g., device posture, location)
Block legacy protocols that bypass MFA (e.g., IMAP, POP)
Review audit logs for MFA bypass attempts
Periodically test effectiveness with simulated phishing

MFA Compliance Roadmap for SaaS and Fintech

Whether you're starting from scratch or tightening existing controls, follow this phased approach to stay compliant:

Phase 1: Assessment

Identify systems handling Nonpublic Information (NPI)
Map user access levels (admin, developer, support, third-party)
List all external access points (VPNs, SaaS apps, APIs)
Check current MFA enforcement status across systems

Example:
If your devs have SSH access to production via VPN, but the VPN lacks MFA, you're non-compliant.

Phase 2: MFA Enforcement

Roll out centralized SSO with enforced MFA (Okta, Azure AD, Google Workspace)
Use conditional access to block unmanaged or risky devices
Disable legacy protocols (no MFA support)
Apply MFA at:
- Login
- Privileged actions (IAM changes, API token generation)
- Third-party integrations

Example:
In AWS, use IAM roles with session policies requiring MFA to generate keys or assume sensitive roles.

Phase 3: Vendor & Partner Controls

Require MFA from:
- IT support vendors
- Payment processors
- Cloud service providers
Ask for proof (e.g., SOC 2 report, security policy)
Include MFA as a contractual requirement in data processing agreements

Documentation Tips to Prove MFA Compliance

NYDFS audits and examinations often ask for proof, not promises.

Here's how to prepare:

Maintain These Documents:

MFA Policy (who, what, where, how, and when MFA is enforced)
Access Control Policy (covers MFA as part of broader access standards)
MFA Exception Logs (temporary exemptions, with risk acceptances)
Change Logs for MFA rollouts or changes in enforcement
Screenshots of policy settings in Okta, Azure AD, or Google Workspace
Test Evidence of MFA effectiveness (e.g., simulated phishing MFA prompt success rates)

Conduct an Annual Review

Review MFA coverage quarterly
Test enforcement via penetration testing or red team exercises
Document remediation steps taken

NYDFS wants to see continuous improvement, not just one-time setup.

SaaS App-Specific MFA Controls

If you're building or offering a SaaS platform, you must also offer MFA to your customers - not just use it internally.

Best Practices:

Support:
- TOTP (e.g., Google Authenticator)
- Push notifications
- Hardware tokens (YubiKey, FIDO2)
Force MFA for:
- Admins
- Financial roles (billing, payouts)
Provide audit logs showing MFA enrollment and usage
Allow MFA reset policies with step-up authentication (e.g., video verification)
Monitor for MFA fatigue attacks (excessive push requests)

NYDFS may examine your platform's user MFA offerings if your SaaS handles regulated data (e.g., mortgage, insurance, financial).

Integrating MFA into CI/CD and Developer Workflows

Developers often bypass traditional MFA controls. NYDFS expects privileged users - especially those pushing code or configuring infrastructure - to use strong authentication.

Controls to Implement:

Enforce MFA on:
- GitHub / GitLab / Bitbucket
- Jenkins / CircleCI / GitHub Actions
- Artifact repositories (e.g., Nexus, JFrog)
Require MFA to access:
- Cloud consoles (AWS, Azure, GCP)
- Secrets managers (e.g., HashiCorp Vault, AWS Secrets Manager)
Block push access from devices that fail device compliance checks
Use session tokens bound to MFA authentication for API access

Internal Audit Checklist

Use this checklist to self-audit your MFA compliance under NYDFS:

Area	Check	Status
Email Systems	MFA enforced for all users	✅ / ❌
Cloud Admin Access	Root/admin accounts MFA enabled	✅ / ❌
Remote Access	VPN/RDP access requires MFA	✅ / ❌
Code Repos	MFA enforced on GitHub/GitLab	✅ / ❌
SaaS Platforms	MFA enforced on customer portals	✅ / ❌
Identity Provider	Okta/Azure/Google MFA settings enforced	✅ / ❌
Third Parties	Vendors access internal systems via MFA	✅ / ❌
Exceptions	Documented and approved by CISO	✅ / ❌
Logging	MFA failures logged and reviewed	✅ / ❌

Tools to Help You Enforce and Monitor MFA

SaaS and fintech companies often juggle dozens of platforms. You need tools that make MFA management efficient and audit-ready.

Identity and Access Management (IAM)

Okta – Widely used for enforcing MFA across apps
Azure Active Directory (Entra ID) – Strong native integration for Microsoft stacks
Google Workspace Enterprise – Works for startups, limited control for larger orgs

Endpoint and VPN MFA

Cisco Duo – Works well with VPNs, firewalls, Linux servers, and Windows logins
JumpCloud – Lightweight IAM + MFA for SMBs and startups
StrongDM – Useful for secure access to databases, servers, and Kubernetes

Privileged Access Management

CyberArk – For mature orgs needing detailed session monitoring
Teleport – Dev-friendly SSH/RDP/K8s access with session MFA

Logging & Alerting

Splunk / Sumo Logic / Datadog – SIEMs that collect MFA events
CloudTrail (AWS) – Tracks MFA-based API access (e.g., AssumeRoleWithMFA)
Okta System Logs – Provides raw MFA enrollment, success, and bypass attempts

You don't need to buy everything. Just make sure the MFA events are:

Logged
Reviewed
Correlated with user behavior

How to Prepare for a NYDFS Audit

If you're selected for an audit or an exam, NYDFS will ask for:

Your Cybersecurity Policies and Procedures
Risk Assessments
MFA-specific evidence
Access control audit reports
List of vendors and how MFA is enforced for each

Expect follow-ups on:

How you revoke access for terminated employees
How you handle break-glass accounts
Whether you've tested MFA bypass scenarios

Prepare These Answers in Advance:

"Who reviews MFA enforcement and how often?"

"How do you know your privileged users have enrolled MFA?"

"When was your last MFA exemption and why?"

Be ready to show that your CISO (or vCISO) is actively monitoring compliance - not just relying on IT or MSPs.

FAQs About NYDFS MFA Compliance

Q: Does NYDFS accept SMS-based MFA?
Yes, but it's discouraged. Use app-based TOTP or hardware tokens instead.

Q: Do I need MFA for service accounts?
No. But service accounts should be rotated, monitored, and restricted with IP/device whitelisting.

Q: What if I only offer read-only access?
MFA is still required if NPI is visible or accessible, even passively.

Q: Do I need MFA if my company is small?
If you're regulated by NYDFS, yes. Company size doesn't exempt you from technical controls.

Q: What if my vendor doesn't support MFA?
Then they're a risk. Replace them or isolate access until mitigated.

Real-World Lessons from NYDFS MFA Fines

Case: EyeMed Vision (2021)

One email account was breached.
No enforced MFA.
Breach impacted over 2 million people.
NYDFS fined them $4.5 million.

Lesson: A single inbox without MFA can become a liability for the whole company.

Case: Robinhood Crypto (2022)

Weak MFA processes + poor logging.
Failed to detect attacks.
Fined $30 million and forced to overhaul cybersecurity program.

Lesson: Compliance isn't just about having MFA - it's about proving that it works and that you're watching it.

Why Most SaaS Companies Fail MFA Compliance

They check the box, but they don't:

Enforce across all apps and systems
Cover privileged and third-party access
Monitor for bypass or non-compliance
Document everything
Train employees not to approve push spam

MFA is not a setup-once control. It needs constant tuning.

What to Do Next

If you're unsure about your current status:

Run an MFA enforcement audit across identity, infra, and vendors.
Document your MFA policy and update it annually.
Centralize enforcement via IdP (Okta, Azure, Google).
Use phishing-resistant methods for admins and developers.
Start logging and reviewing MFA attempts monthly.
Update vendor contracts to require MFA.

Need help? Hire a Virtual CISO who knows NYDFS inside out.

Book a Cybersecurity Review with Experts Who Know NYDFS

At Atlant Security, we've helped fintechs, payment processors, and SaaS companies reach full NYDFS compliance - without buying unnecessary tools.

Our founder worked with Microsoft UAE and helped secure Emirates Nuclear Energy Corporation. We don't sell software. We deliver results.

Ready to tighten MFA before regulators knock?

👉 Book your free security consultation now

See also: SOC 2 for Small Businesses in Australia: A Practical Guide to Winning Big

NYDFS MFA Compliance