In 2017, New York Department of Financial Services (NYDFS) passed cybersecurity regulation 23 NYCRR 500, requiring all financial services companies to implement multi-factor authentication (MFA). Since its creation, the Cybersecurity Framework has continued to offer updates and guidance on best security practices.

In 2021, the NYDFS cybersecurity department explicitly called out MFA weaknesses as one of the most common gaps exploited at financial services companies. During the NYDFS cybersecurity investigation from January 2020 to July 2021, they found that more than 18.3 million consumers were impacted by cyber incidents from inadequate use of MFA. These failures arise from a variety of sources including the absence of or problem with the current use of MFA.

Common problems with MFA according to NYFDS cybersecurity research findings

In order to close the exploited gaps, organizations need to evaluate their current MFA solution and ensure that it’s actually protecting from vulnerabilities, and not just checking a box for compliance purposes.

According to the NYDFS cybersecurity regulations, there are common MFA violations that have occurred across financial service organizations.

  • Legacy Systems: Legacy technology, or technology that is outdated and does not require MFA, can provide an open door to an attacker. When a company migrates to a modern system, all unneeded legacy systems must be decommissioned, or, if still in use, protected with an MFA solution.
  • Remote Access Application Coverage: Many companies rely on a virtual private network (VPN) to access sensitive company information. However, it is common to allow exceptions to VPN use to access email or other applications. MFA must be enabled for remote access of all applications, even if employees don’t have to go through a VPN to get there.
  • No MFA for Third Parties: Third parties, just like employees, should follow the same security protocols, especially if they have access to sensitive information. Any individual, regardless of employment status, is a potential target if they lack secure access controls.
  • Slow & Ineffective MFA Deployment: Once a company has an MFA solution, then that solution needs to be rolled out across the organization. If a user is never required to set up MFA, those individuals can be a source of vulnerability.
  • Poor Exceptions Management: Exceptions to MFA can open up doors to hackers, especially if c-suite executives, with access to highly sensitive information, are not required to follow the same security protocols. Exceptions should be rare, and if allowed, be tracked and managed.

The solution? Duo

To summarize, if an organization is not purposeful about their use of MFA, they can leave open a lot of back doors Duo Security and vulnerabilities for an attacker to exploit. One of the main reasons that MFA is not used to the best of its ability is because it can be time consuming and burdensome to the security and IT teams that manage it and the users that have friction added to their workflow.

With Duo, security is made easy so organizations do not fall into the same common pitfalls highlighted in the updated MFA guidance published alongside the NYDFS cybersecurity regulations. Here’s how Duo can help:

  • Ease of Use: Duo’s MFA solution allows users to select from multiple authentication methods, including Duo push. With one tap, users are able to quickly and easily login to their account. Similarly, the Duo admin panel makes it easy for IT and security administrators to manage their users and ensure the correct access policies are in place.
  • Quick Deployment: Customers have deployed Duo in a range of manners, from a phased deployment to rolling out Duo over a weekend. Duo’s self-service options enable users to quickly secure their accounts and can reduce the number of help desk tickets enabling IT to spend more time on higher-priority tasks.
  • Broad Coverage: Duo’s vast integrations enables the solution to work with a wide-range of applications and systems, including legacy and on-prem technology. Duo works with companies in a wide range of industries that use various tools and was built to work for all customers, regardless of the level of complexity.
  • Third Party Coverage: Regardless of employment status, all workers from full-time employees to contractors who need IT system access can use Duo to ensure secure login. Duo’s coverage enables visibility across the workforce to make sure all sensitive information is protected.


Jennifer Golden

Product Marketing Manager

Security / Product Marketing