New York regulators falling short with Identity Proofing and Authentication

NIST’s Digital Guidelines are respected and referenced throughout the world so why does New York leave open the potential for ambiguous technology implementations which could be based on standards which are not parallel with efforts to support RON?”

Michael Magrath, Director of Identity Policy and Industry Relations, Easy Dynamics Corporation

New York State, the financial capital of the world, undoubtedly sits at or near the top of most cyber criminals’ “hit list”. But it has fallen short when it comes to recent regulatory acts pertaining to identity and authentication.  Two recent actions in different departments are alarming during this age of deep fakes and nation-state cyber attacks.

Identity Proofing for Remote Online Notarization (RON)

While RON has been available for a few years, the pandemic was the catalyst for wider spread adoption and use throughout the U.S.  New York is no exception and recently revised its RON regulation.  On January 25th the New York Department of State amended Title 19 of the New York Codes, Rules and Regulations (NYCRR), Chapter V, Subchapter E, Part 182 as it relates to RON. Section 182.7.a reads, “Identity proofing must meet, at minimum, the Identity Assurance Level 2 standard as outlined in the Digital Identity Guidelines of the National Institute of Standards and Technology (NIST), as referenced in subdivision (b) of this section, or any industry accepted standard that is at least as secure, or more secure, than that standard.”

Or any industry accepted standard at least as secure, or more secure, than that standard?”  Huh?!! “Secure” according to which certification body?  NIST’s Digital Guidelines are respected and referenced throughout the world so why does New York leave open the potential for ambiguous technology implementations which could be based on standards which are not parallel with efforts to support RON? In addition, unforeseen risk and exposure may occur due to lack of “uniformity” needed for both RON service providers and all relying parties.

Identity Assurance Level 2, commonly referred to as IAL2 is defined in NIST’s the Special Publication 800-63-3 suite of documents, specifically 800-63a, which is part of the SP 800-63-3 suite of documents last revised in 2017 and currently in the process of being updated.  Federal agencies must comply with NIST’s guidance and over the years many state, county and local governments as well as commercial entities have embraced 800-63-3.  Many have written 800-63-3 certification as a requirement for vendors into RFPs.

Regulations should be “black and white”, as far as is possible.  In the case of IAL2 for RON, black and white was possible, but NY regulators opted for gray leaving vendors, state agencies and commercial organizations with questions

No doubt, the regulation caught the attention of all RON vendors given New York’s population and position in the financial industry.  To date, states that have enacted laws permitting RON have for the most part written portions of MISMO’s RON standards into their laws, which have no requirement to comply with NIST’s IAL2. MISMO is short for the Mortgage Industry Standards Maintenance Organization, according to its Wikipedia entry, MISMO is “a not-for-profit, wholly owned subsidiary of the Mortgage Bankers Association responsible for developing standards for exchanging information and conducting business in the U.S. mortgage finance industry.”  With all due respect to the MBA, RON laws and regulations should not be developed by a trade organization’s subsidiary.

Most vendors meet IAL2 by combining the scan of a government issued identity document such as a driver’s license or a passport, a bank statement or utility bill, with a selfie that can be checked for liveness. This provides assurance that it is really a live person’s face and not a recording or a mask that simply looks like someone else that is compared using biometric algorithms.  The documents are also checked to be authentic and verified to provide confidence in the asserted identity’s validity.

Regulations should be “black and white”, as far as is possible.  In the case of IAL2 for RON, black and white was possible, but NY regulators opted for gray leaving vendors, state agencies and commercial organizations with questions.

Proposed Amendments to the New York Department of Financial Services (NYDFS) Cybersecurity Regulation

The regulation, 23 NYCRR 500, places cybersecurity requirements on all Covered Entities (financial institutions and financial services companies).  Last November, NYDFS proposed a second amendment to 23 NYCRR Part 500 the regulation regarding cybersecurity requirements for financial services companies (the Second Amendment). After a public comment period, on June 28, 2023, a revised proposed Second Amendment was published in the New York State Register. Although the regulation still requires MFA, it is not so restrictive as to mandate a specific NIST Authenticator Assurance Level as defined in NIST’s Digital Identity Guidelines. Financial services organizations may select from a variety of authentication solutions.  Under the proposed Second Amendment changes to multi-factor authentication (Section 500.1) include “Multi-factor authentication means authentication through verification of at least two of the following:

  • knowledge factors, such as a password,
  • possession factors, such as a token [or text message on a mobile phone]; or
  • inherence factors, such as a biometric characteristic”

Passwords?  SMS?  Seriously?  At a time when federal agencies are mandated to implement zero trust and use phish-resistant authenticators (passwords, one-time password tokens and SMS are not), New York is amending a cybersecurity regulation to include phishable authenticators.  Why do this when modern phishing-resistant authentication is available?  Sorry New York. In 2023 no cybersecurity regulation pertaining to authentication should include passwords and SMS.

Due to security issues in 2017 NIST classified SMS OTP as a ‘restricted’ authenticator meaning organizations or users would be taking a risk using SMS as part of two-factor authentication, exactly how the proposed Second Amendment is written.  Why take such a risk especially when we are talking about accessing financial systems? I would encourage the NYDFS to join the FIDO Alliance and Kantara Initiative.  FIDO standards are mature and recognized and adopted across the world. Moreover, FIDO has a stringent product certification program and maintains a certified products list which will enable Covered Entities to procure phish-resistant authentication.

As with RON, NYDFS should leverage NIST’s Digital Identity Guidance – Special Publication 800-63B applies to Authentication and Lifecycle Management.  As with enrollment and identity proofing, NIST has defined three authenticator assurance levels: AAL1, AAL2, AAL3.  AAL1 does not require MFA (passwords are acceptable) and while AAL3 is per NIST, “is based on proof of possession of a key through a cryptographic protocol. AAL3 authentication requires a hardware-based authenticator and an authenticator that provides verifier impersonation resistance”, aka phishing resistant.

For some industries AAL3 may be too cumbersome. However for financial services, I would argue, AAL3 met with a FIDO certified security key would be appropriate.  For many organizations, AAL2 is acceptable based on the level of risk should the account be compromised.  Per NIST, “AAL2 occurs by the use of either a multi-factor authenticator or a combination of two single-factor authenticators. A multi-factor authenticator requires two factors to execute a single authentication event, such as a cryptographically secure device with an integrated biometric sensor that is required to activate the device.”

Trustmarks and Certified Products Differentiate the “Haves from the Have Nots”

NIST defines guidance but does not assess and certify vendors.  The federal government no longer maintains an approved products list of credential service providers and instead recognizes Kantara Initiative, a globally recognized, non-profit certification body for NIST’s SP 800-63-3 under the Kantara Assurance Program.  Kantara’s five-person Assurance Review Board (ARB) even includes a representative from NIST.  The ARB is the body that reviews assessments and awards the 800-63-3 Trustmark to vendors.

I will note there is a distinct difference between a vendor claiming they meet IAL2 for RON or AAL2 or AAL3 in what I hope would be in the final version of the revised NYDFS cybersecurity regulation and being assessed and awarded a Trustmark.  I have been employed by vendors that could claim that they technically met the IAL2 and AAL2 requirements but were never assessed or awarded a Trustmark.

Kantara’s Assurance Program goes well beyond technical requirements and includes non-technical requirements that vendors must first self-attest to and later provide evidence to a Kantara-accredited, independent, third-party assessor. They confirm that the service can actually do what the vendor claims. Some examples include:

  • Is the vendor financially solvent?
  • How long do they retain personally identifiable information (PII)? Where is it stored and how is it secured?
  • How do they obtain user consent?
  • Do they have a privacy policy in place? When was it last revised?
  • Does the vendor have a Security Awareness and Training Policy applicable to all employees?
  • Do they have an Information Security Management Plan? When was it last revised?

While many RON vendors may qualify for Kantara Trustmark, as of today, none have been approved directly. Some may, however, be partnered with credential service providers that have been certified.  One exception is Proof (formerly Notarize) which was recently awarded a Trustmark and is listed on Kantara’s Trust Status List. To thwart the ambiguity in identity and authentication regulations, I recommend that procurement officers in New York (and the other 49 states) require a Kantara Trustmark to meet the intent of the regulation.

About The Author

Michael Magrath is a Digital Identity Advisor and Strategist. He is currently Director, Identity Policy and Industry Relations at Easy Dynamics Corp and is a former Board Director at Kantara Initiative and Board Delegate of the FIDO Alliance. 

This is an updated article first published by KUMA LLC in March 2023 when Michael was Director, Digital Identity Practice.