Are You Ready for the FTC MFA Requirements?
5 Min. Read | April 27, 2023
What Are the FTC MFA Requirements?
In October 2021, the FTC announced that it was updating the Safeguards Rule. The Safeguards Rule took effect in 2003 as part of the Gramm-Leach-Bliley Act (GLBA) and aims to protect U.S.-based consumers from data breaches, cyberattacks and their resultant effects, such as fraud and identity theft.
The update was deemed necessary due to the much-changed security and threat landscape since the start of the century. One of the most significant changes is an expanded definition of a covered financial institution. Entities such as auto dealers are included if they handle financial consumer data. The updated rule also introduces critical new technology requirements, specifically it mandates multi-factor authentication (MFA) for all covered companies, no matter their size.
Safeguards Rule Overview
The updated version of the rule introduces several requirements for relevant firms based around them developing, implementing and maintaining an information security program. The program must contain several administrative, technical and physical safeguards that ensure the security and confidentiality of customer information.
There are nine specific elements in the updated rule that respond to the new threats facing companies and customer information, including:
- Implementing multi-factor authentication (MFA) for all users that have access to customer information
- Conducting risk assessment and data inventories
- Training staff about threats, responses and security best practices
- Choosing appropriately skilled service providers
- Nominating a qualified Individual from among your staff or from a service provider to implement and supervise your company’s information security program
- Regularly monitoring and testing the effectiveness of these safeguards, such as through performing (at least) annual penetration testing
When Do the FTC MFA Requirements Take Effect?
The FTC has recognized the adoption of MFA as a critical security practice as it effectively prevents a single compromised password from opening up a whole system. Though the updated Safeguards Rule was due to come into force in December 2022, parts of the regulation were delayed by six months as the FTC recognized personnel and supply chain issues made it difficult for some firms to achieve compliance. Companies subject to the Safeguard Rule have until June 9, 2023 to comply with the MFA provision.
Who Does the SafeGuards Rule Apply to?
The rules around customer information protection contained in the updated Safeguards legislation apply to non-banking financial institutions. However, the FTC warns that “financial institutions” covers a broader array of companies in their usage than the common understanding of the term. These include:
- auto dealers (specifically any that extend credit or lease vehicles)
- mortgage brokers and lenders
- payday lenders
- collection agencies
- any retailer that extends credit for their products
- personal or real estate property appraisers
- check cashers
- tax preparation firms
- financial advisors
- any company that brings together buyers and sellers as a “finder”
The updated FTC MFA requirements and consumer information protection regulations thus affect a wide range of firms, making data protection and information security a major factor in their risk assessments. This means a data breach or poor security practices can result in reputational damage and can open companies to litigation and fines of up to $46,000 per day per breach occurrence.
The FTC MFA Requirements: The Details
As mentioned above, the FTC has stated that MFA is critical for system security and the protection of consumer information. The implementation of the FTC MFA requirements in line with the updated Safeguards rule requires at least two authentication factors from:
- Knowledge factors (i.e., something you know), such as a password or the answer to a secret question
- Possession factors (i.e., something you have), such as a device or hardware security key.
- Inherence factors (i.e., something you are), such as a fingerprint, face or retina scan.
The FTC has expanded further on its proposals for the adoption of MFA, requiring companies to use phishing-resistant MFA for their employees. It specifically rules out multi-factor solutions that use SMS, push notifications or one-time passwords (OTPs), explaining that "if a user can be tricked into typing in their username and password, they can be tricked into typing a code from their phone."
They also recommend that companies refrain from offering forms of MFA based on providing telephone numbers that subsequently receive messages or phone calls. As stated explicitly in their case against Chegg, an educational services company that exposed millions of customer records in four separate breaches, the MFA offered to all employees, contractors and affiliates “should not include telephone or SMS-based authentication methods and must be resistant to phishing attacks.”
The FTC MFA requirements also suggest that legacy authentication, such as security questions, is inherently unsafe as it gives the attacker data, and much of the data required to get past the challenge is publicly available. Therefore, companies deploying MFA are also advised not to use the data collected for the authentication system anywhere else to increase security and improve consumer trust, knowing that the MFA is not just another data collection exercise.
Complying With the FTC MFA Requirements
The updated FTC Safeguarding rule aims to deliver better security and confidentiality for customer information and protect against threats and unauthorized access. Implementing MFA for anyone who can access customer information is a critical part of this, and, as advised by the FTC, this MFA should be phishing-resistant. This means that any factor or method which can be "phished" or circumvented through social engineering, such as passwords, OTPs or push notifications, should be deprecated.
Systems such as hardware security keys or those which use biometric identification built on secure protocols and public key infrastructure, deliver the best security and allow companies to meet the FTC MFA requirements. In particular, FIDO-based authentication is named as the gold standard for phishing-resistant MFA by the Cybersecurity and Infrastructure Security Agency (CISA) and other regulatory bodies.
Quickly Meet Compliance Deadlines
HYPR helps customers across industries comply with regulations to ensure their security strategy is in line with all relevant requirements. HYPR True Passwordless™ MFA is FIDO Certified at every level. Our authenticator uses a device's biometric identification to sign a certificate in a public-key partnership, meaning no data is ever shared between the user and the server.