Have You Implemented Multifactor Authentication Yet?

Make sure you are protecting consumer information according to the requirements of the Safeguards Rule.

4/25/2023 1:30 P.M.

The FTC’s Safeguards Rule calls out multifactor authentication (MFA) as a mandatory requirement, regardless of company size.

Under the text of the Safeguards Rule, multi-factor authentication means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; (2) Possession factors, such as a token; or (3) Inherence factors, such as biometric characteristics.

The rule tells businesses to “implement multi-factor authentication for anyone accessing customer information on your system.”  The only exception would be if your Qualified Individual has approved—in writing—the use of another equivalent form of secure access controls.

So what does that mean for your business?

Financial institutions that are subject to the FTC’s Safeguards Rule must ensure that they have policies and procedures in place to require MFA for remote access to customer information systems.

MFA provides an additional layer of security by requiring users to use more than one form of identification. This can be something the user knows, such as a password or PIN, something the user has, such as a smart card or token, or something the user is, such as a fingerprint or facial recognition.

By requiring multiple factors for authentication, MFA makes it much harder for unauthorized users to gain access to sensitive information. Even if a user’s password is compromised, for example, an attacker would still need access to the user’s phone or other authentication device to gain access to the system.

In addition to the Safeguards Rule, other regulations require multifactor authentication as well. The Payment Card Industry Data Security Standard (PCI DSS) requires MFA for all non-console administrative access to systems handling cardholder data. Similarly, the National Institute of Standards and Technology (NIST) recommends the use of MFA in its Cybersecurity Framework.

MFA is a critical component of your security program. Implementing MFA can not only help you comply with regulations, but also protect sensitive information from unauthorized access and reduce the risk of data breaches.

If you need help with becoming defensible under the FTC’s Safeguards Rule, go to to get started.

If you have executive leadership updates or other member news to share with ACA, contact our communications department at [email protected]. View our publications page for more information and our news submission guidelines here.


Training Zone


One moment please...

Share Profile

This site uses cookies. By continuing to use our site, you are agreeing to our use of cookies. Review our Privacy Policy for more information. You may change your preferences on how cookies are stored by reviewing the settings on your browser.

The content on this site is presented for educational, general reference, and informational purposes only; is not intended to serve as legal or other advice; is not intended to be a full and exhaustive explanation of the law in any area; and should not replace the advice of your own legal counsel. By continuing to use our site, you are agreeing to the legal disclaimers in our Terms of Use. Review our Terms of Use for more information.

Friendly Reminder

Get continued access to ACA International’s wide array of resources, which can help you become more profitable, compliant and successful.

Renew your membership today to take advantage of tools you won’t find anywhere else:

  • Discounts on seminars, products, services and events
  • Resources to strengthen your compliance department
  • Industry-specific risk management products and services
  • Participation in ACA’s online community, The Hub
    Members-only website content
  • Professional development and training opportunities, and so much more!

If you have completed your renewal, please disregard this reminder.