NYDFS MFA Requirements and How to Enforce Them Across Legacy Apps

NYDFS MFA requirements are no longer limited to VPNs, email, or remote access. As of November 1, 2025, 23 NYCRR Part 500.12 requires covered entities to use multi-factor authentication for any individual accessing their information systems, unless a limited exemption or approved compensating control applies.
For many teams, the challenge is not enabling MFA in Okta, Microsoft Entra ID, Ping, Duo, or another identity provider. The harder problem is enforcing MFA everywhere users actually log in: external-facing portals, internal apps, vendor access, admin tools, and direct login pages that may still accept only a password.
Datawiza helps by enforcing MFA at the access layer, before users reach applications that cannot support modern authentication on their own.
What NYDFS MFA Requires
Under Section 500.12, covered entities must use MFA for individuals accessing information systems. Organizations with a limited exemption under Section 500.19(a) still need MFA for remote access, third-party applications where nonpublic information is accessible, and privileged accounts other than non-interactive service accounts.
If a covered entity has a CISO, the CISO may approve reasonably equivalent or more secure compensating controls in writing, with periodic review at least annually.
The MFA Gap: Apps That Are Hard to Change
SSO can support NYDFS MFA compliance, but not every application can be moved to SSO quickly.
External-Facing Apps
Customer, broker, partner, and vendor portals often support revenue-generating workflows. They can be difficult to revise, upgrade, or replace, and many were not built for enterprise SSO. Adding MFA directly to these apps can be risky, disruptive, and time-consuming.
Internal Apps
Many internal apps are already connected to enterprise SSO and MFA. But older admin consoles, custom apps, and vendor-managed tools may not support SAML or OIDC. Some still rely on local accounts or expose a direct login page even after SSO is added.
If users can reach an application without completing MFA, the access path needs attention.
How Datawiza Helps Enforce NYDFS MFA
Datawiza Access Proxy sits in front of web applications and enforces authentication before traffic reaches the protected app. Teams can add MFA to external-facing and internal applications without changing application code.

Datawiza Access Proxy enforces strong multi-factor authentication (MFA) in front of any web app—using either Datawiza MFA or your existing IdP—without rewriting the application.
For external-facing apps, such as customer, broker, partner, and vendor portals, Datawiza can use its built-in MFA service while preserving the application’s existing username and password login experience.
For internal apps, Datawiza integrates with the identity provider the organization already uses, such as Microsoft Entra ID, Okta, Ping, Duo, Google, and others.
With Datawiza, organizations can:
- Enforce MFA on legacy apps that do not support modern identity protocols
- Support both external-facing apps and internal apps
- Preserve existing portal login flows while adding MFA
- Use the customer’s existing identity provider for workforce access
- Reduce direct-login bypass risk
- Capture authentication logs for audit and compliance review
Instead of waiting for every application to be rewritten, teams can put consistent MFA enforcement in front of the apps they already run.
NYDFS MFA Checklist
Use this checklist to find the gaps that matter most:
- Inventory all authenticated applications.
- Identify apps that still accept password-only login.
- Check whether SSO-protected apps still expose local login pages.
- Review portals and third-party apps with access to nonpublic information.
- Confirm MFA for privileged accounts, except non-interactive service accounts.
- Document compensating controls, CISO approvals, and MFA enforcement logs.
Close NYDFS MFA Gaps Without Rewriting Apps
NYDFS MFA compliance is not just an identity provider setting. It is about proving that MFA is enforced across real access paths. If legacy applications, portals, admin tools, or direct login pages are slowing down your MFA project, Datawiza can help.
Book a demo to see how Datawiza enforces MFA across legacy and custom applications without code changes.



