For years, regulators have been examining ways to push companies to use phishing-resistant multi-factor authentication (MFA). The Consumer Financial Protection Board (CFPB) is taking a new – and more aggressive – approach to drive that change: encouraging consumers to report firms that do not offer MFA and suggesting that those firms may be liable for any losses tied to credential compromise.

According to the CFPB Circular 2022-04, financial institutions that do not enable MFA and take other measures to protect consumer data may trigger liability under the Consumer Financial Protection Act’s (CFPA) prohibition of unfair practices. The “reasonable cost-efficient measures” that the CFPB identified include:

• Multi-factor Authentication
• Password Management
• Timely Software Updates‍

The Circular goes beyond typical MFA too, calling for solutions that are phishing resistant and use the Web Authentication (WebAuthn/FIDO2) standard. Previously, the CFPB and other financial regulators have not been as prescriptive in their guidance, instead asking financial institutions to take a risk-based approach to authentication. But here, CFPB is pointing to specific MFA standards and stating strongly that firms should be moving away from “legacy MFA” – such as SMS and email one-time passcodes.

This shift signals that financial institutions that do not require MFA for their employees or offer multi-factor authentication as an option for consumers may face consequences. In September the CFPB tweeted that consumers could file a complaint against financial institutions that do not offer to enable them to enroll in MFA.

The Circular comes as many “legacy” forms of MFA have come under attack and the realization that not all MFA is created equal. These modalities – tools that require a one-time passcode (OTP) or a response to a push-notification sent to an authentication app – are not as secure as it used to be. Hackers have caught up – and can phish OTP codes or trick someone into pushing “approve” when they get a prompt on their mobile device to verify a login.

With push-based apps, “MFA Fatigue” is an attack where an adversary has a stolen password and continues to “bomb” a target’s app with login prompts – often accompanied by emails, texts, or phone calls pretending to be the company verifying the login. These attacks are becoming more prevalent and phishing-resistant MFA can prevent it.

WebAuthn – or FIDO Authentication -- is a newer authentication standard that guards against these credential phishing attacks. The specification is garnering a lot of attention with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency calling it the “gold standard” of MFA. Support for FIDO/Web Authentication is built in “out of the box” in major browsers and tech operating systems – meaning the barrier to implementing it both in the enterprise and for consumers is lower than other forms of MFA. Ultimately, financial institutions can mitigate this risk by implementing FIDO WebAuthn authentication internally and for consumers.

The Circular also discusses password management – the weakest link in digital identity. As the weakest link, financial institutions need to put controls in place so that passwords are being changed when they are breached, where they are being reused, and notification when passwords have been changed.

The CFPB points to the National Institute of Standards and Technology’s Digital Identity Guidelines Authentication and Lifecycle Management (Special Publication 800-63B). The CFPB Circular does not provide an exhaustive list of what qualifies as adequate password management policies, but directs groups looking to enforce a wider set of password requirements as laid out in NIST SP 800-63B, specifically:

• Using secure cryptographic practices(encryption, salting, and hashing) to protect user passwords in transit and at rest.
• Implementing rate-limiting and server/network cybersecurity.
• Using proven composition and complexity rules; passphrases are better than passwords so no minimum characters.
• Avoiding arbitrary password requirements and password expiration timelines – no minimum or maximum lengths, mandatory character usage, etc.

Lastly, the Circular also calls for financial institutions to make timely software updates. If systems are not updated regularly, particularly when vulnerabilities have been identified, the institution could be held liable.

The CFPB Circular implies a minimum level of due diligence to mitigate the potential for being found liable in the case of a breach, including:

• Routinely check for updates for the software and assets that you and your contractors use. This includes applications, operating systems, web browsers, and IoT firmware.
• Maintain a reliable inventory of the software assets in use at your enterprise, along with their versions.
• Routinely cross-check your asset inventory against lists of known vulnerabilities, such as the National Vulnerability Database.

The CFPB’s change from offering guidelines to the more prescriptive recommendations that financial institutions should follow or face the consequences bears watching. Financial institutions will want to make sure consumer data is protected and follow the steps as described in the Circular.

‍