Back to New York

A6347 • 2025

Relates to requiring governmental entities to implement multifactor authentication for local and remote network access

Relates to requiring governmental entities to implement multifactor authentication for local and remote network access

Privacy
Active

The official status still shows this bill as active or still awaiting another formal step.

Sponsor
Steven Otis
Last action
2026-05-29
Official status
Passed Senate
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Relates to requiring governmental entities to implement multifactor authentication for local and remote network access

Relates to requiring governmental entities to implement multifactor authentication for local and remote network access Requires governmental entities to, whenever possible and feasible, consider implementing multifactor authentication for local and remote network access; requires public websites to encrypt all exchanges and to comply with privacy standards.

What This Bill Does

  • Relates to requiring governmental entities to implement multifactor authentication for local and remote network access Requires governmental entities to, whenever possible and feasible, consider implementing multifactor authentication for local and remote network access; requires public websites to encrypt all exchanges and to comply with privacy standards.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2026-05-29 Senate

    SUBSTITUTED FOR S1139

  2. 2026-05-29 Senate

    3RD READING CAL.1194

  3. 2026-05-29 Senate

    PASSED SENATE

  4. 2026-05-29 Senate

    RETURNED TO ASSEMBLY

  5. 2026-05-20 Assembly

    REPORTED

  6. 2026-05-20 Assembly

    RULES REPORT CAL.144

  7. 2026-05-20 Assembly

    ORDERED TO THIRD READING RULES CAL.144

  8. 2026-05-20 Assembly

    PASSED ASSEMBLY

  9. 2026-05-20 Assembly

    DELIVERED TO SENATE

  10. 2026-05-20 Senate

    REFERRED TO INTERNET AND TECHNOLOGY

  11. 2026-05-19 Assembly

    REPORTED REFERRED TO RULES

  12. 2026-01-07 Assembly

    REFERRED TO WAYS AND MEANS

  13. 2025-05-27 Assembly

    REPORTED REFERRED TO RULES

  14. 2025-05-06 Assembly

    REPORTED REFERRED TO WAYS AND MEANS

  15. 2025-03-04 Assembly

    REFERRED TO SCIENCE AND TECHNOLOGY

Official Summary Text

Relates to requiring governmental entities to implement multifactor authentication for local and remote network access
Requires governmental entities to, whenever possible and feasible, consider implementing multifactor authentication for local and remote network access; requires public websites to encrypt all exchanges and to comply with privacy standards.

Current Bill Text

Read the full stored bill text
S T A T E   O F   N E W   Y O R K
        ________________________________________________________________________

                                          6347

                               2025-2026 Regular Sessions

                                  I N  A S S E M B L Y

                                      March 4, 2025
                                       ___________

        Introduced  by  M. of A. OTIS -- read once and referred to the Committee
          on Science and Technology

        AN ACT to amend the state  technology  law,  in  relation  to  requiring
          governmental  entities  to  implement  multifactor  authentication for
          local and remote network access

          THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
        BLY, DO ENACT AS FOLLOWS:

     1    Section  1.  Section  202  of  the  state technology law is amended by
     2  adding two new subdivisions 9 and 10 to read as follows:
     3    9. "GOVERNMENTAL ENTITY" SHALL MEAN ANY  STATE  OR  LOCAL  DEPARTMENT,
     4  BOARD,  BUREAU, DIVISION, COMMISSION, COMMITTEE, SCHOOL DISTRICT, PUBLIC
     5  AUTHORITY, PUBLIC BENEFIT CORPORATION, COUNCIL OR OFFICE, INCLUDING  ALL
     6  ENTITIES  DEFINED PURSUANT TO SECTION TWO OF THE PUBLIC AUTHORITIES LAW.
     7  SUCH TERM SHALL INCLUDE THE STATE UNIVERSITY OF NEW YORK  AND  THE  CITY
     8  UNIVERSITY  OF  NEW  YORK.  FURTHER, SUCH TERM SHALL INCLUDE ANY COUNTY,
     9  CITY, TOWN OR VILLAGE BUT SHALL NOT INCLUDE THE JUDICIARY OR  STATE  AND
    10  LOCAL LEGISLATURES.
    11    10.  "MULTIFACTOR AUTHENTICATION" SHALL MEAN USING TWO OR MORE DIFFER-
    12  ENT TYPES OF IDENTIFICATION CREDENTIALS TO ACHIEVE  AUTHENTICATION.  THE
    13  TYPES OF IDENTIFICATION CREDENTIALS SHALL INCLUDE:
    14    (A)  KNOWLEDGE-BASED CREDENTIALS, WHICH IS A KNOWLEDGE-BASED AUTHENTI-
    15  CATION THAT REQUIRES THE USER TO PROVIDE INFORMATION THAT THEY KNOW SUCH
    16  AS PASSWORDS OR PINS;
    17    (B)  POSSESSION-BASED  CREDENTIALS,  WHICH  IS   AUTHENTICATION   THAT
    18  REQUIRES  INDIVIDUALS  TO  HAVE  SOMETHING SPECIFIC IN THEIR POSSESSION,
    19  SUCH AS SECURITY TOKENS, KEY FOBS, SIM CARDS OR SMARTPHONE APPLICATIONS;
    20  AND
    21    (C) BIOMETRIC INFORMATION, WHICH IS ANY MEASURABLE  PHYSICAL,  PHYSIO-
    22  LOGICAL OR BEHAVIORAL CHARACTERISTICS THAT ARE ATTRIBUTABLE TO A PERSON,
    23  INCLUDING BUT NOT LIMITED TO FACIAL CHARACTERISTICS, FINGERPRINT CHARAC-
    24  TERISTICS,  HAND  CHARACTERISTICS, EYE CHARACTERISTICS, VOCAL CHARACTER-

         EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD01038-01-5
        A. 6347                             2

     1  ISTICS, AND ANY OTHER CHARACTERISTICS THAT CAN BE  USED  TO  IDENTIFY  A
     2  PERSON  INCLUDING, BUT NOT LIMITED TO:  FINGERPRINTS; HANDPRINTS; RETINA
     3  AND IRIS PATTERNS; DNA SEQUENCE; VOICE; GAIT; AND FACIAL GEOMETRY.
     4    §  2. The state technology law is amended by adding three new sections
     5  210, 211, and 212 to read as follows:
     6    §  210.  MULTIFACTOR  AUTHENTICATION.  1.  MULTIFACTOR  AUTHENTICATION
     7  REQUIREMENT.  EVERY  GOVERNMENTAL  ENTITY  SHALL,  WHENEVER POSSIBLE AND
     8  FEASABLE, CONSIDER IMPLEMENTING MULTIFACTOR AUTHENTICATION FOR LOCAL AND
     9  REMOTE NETWORK ACCESS TO ANY EMAIL ACCOUNTS, CLOUD STORAGE ACCOUNTS, WEB
    10  APPLICATIONS, NETWORKS, DATABASES, OR SERVERS, MAINTAINED BY SUCH ENTITY
    11  OR ON BEHALF OF SUCH ENTITY, FOR THE  EMPLOYEES  AND  OFFICERS  OF  SUCH
    12  ENTITY  OR  FOR ANY OTHER INDIVIDUALS PROVIDING SERVICES TO OR ON BEHALF
    13  OF SUCH ENTITY.
    14    2. TECHNICAL STANDARD. THE OFFICE SHALL PROMULGATE RULES TO  ESTABLISH
    15  STANDARD  TECHNICAL REQUIREMENTS FOR GOVERNMENTAL ENTITIES FOR COMPLYING
    16  WITH SUBDIVISION ONE OF THIS SECTION. SUCH  RULES  SHALL  INCLUDE  REGU-
    17  LATIONS  ADDRESSING  BIOMETRIC  INFORMATION  INCLUDING PROPER STORAGE OF
    18  TRAITS RELATING TO USER-SPECIFIC BIOLOGICAL TRAITS.   SUCH  RULES  SHALL
    19  ADDITIONALLY  INCLUDE  PROVISIONS  REGARDING  COMPLIANCE FOR INDIVIDUALS
    20  WITH DISABILITIES OR SPECIAL NEEDS.  FOR THE PURPOSES OF  THIS  SUBDIVI-
    21  SION,  THE  OFFICE  MAY  USE AND REFER TO THE GUIDELINES PROVIDED BY THE
    22  NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY,  THE  FEDERAL  RISK  AND
    23  AUTHORIZATION  MANAGEMENT  PROGRAM  (FEDRAMP),  THE  FEDERAL INFORMATION
    24  SECURITY MANAGEMENT ACT OF 2002 (FISMA) AND THE DEFENSE FEDERAL ACQUISI-
    25  TION REGULATION SUPPLEMENT (DFARS).
    26    3. WAIVERS. THE OFFICE, UPON APPLICATION BY A GOVERNMENTAL ENTITY, MAY
    27  COMPLETELY OR PARTIALLY WAIVE THE REQUIREMENTS OF THIS SECTION FOR  SUCH
    28  GOVERNMENTAL  ENTITY.  SUCH WAIVER SHALL BE VALID FOR NO LONGER THAN TWO
    29  YEARS AND SHALL BE REAPPROVED AFTER EXPIRATION. THE OFFICE SHALL PROMUL-
    30  GATE RULES TO ESTABLISH THE APPLICATION PROCESS AND  CRITERIA  FOR  SUCH
    31  WAIVERS.
    32    §  211.  PRIVACY  REQUIREMENTS. THIS SECTION SHALL APPLY TO THE USE OF
    33  MULTIFACTOR AUTHENTICATION AT GOVERNMENTAL ENTITIES AND TO  ANY  VENDORS
    34  AND/OR THIRD-PARTY CONTRACTORS ADMINISTERING THE MULTIFACTOR AUTHENTICA-
    35  TION ON BEHALF OF THE GOVERNMENTAL ENTITY.
    36    1.  NO GOVERNMENTAL ENTITY SHALL REQUIRE THE USE OF BIOMETRIC INFORMA-
    37  TION TO ACCESS LOCAL AND/OR REMOTE NETWORK ACCESS.
    38    2. NO GOVERNMENTAL ENTITY THAT FACILITATES THE USE OF BIOMETRIC INFOR-
    39  MATION TO ACCESS LOCAL AND REMOTE NETWORK ACCESS SHALL SELL OR  MONETIZE
    40  SUCH DATA.
    41    3. NO GOVERNMENTAL ENTITY THAT FACILITATES THE USE OF BIOMETRIC INFOR-
    42  MATION  TO  ACCESS LOCAL AND REMOTE NETWORK ACCESS SHALL SHARE SUCH DATA
    43  WITH LAW ENFORCEMENT WITHOUT A WARRANT.
    44    4. ANY GOVERNMENTAL ENTITY AND ANY APPLICABLE THIRD-PARTY  CONTRACTORS
    45  THAT  FACILITATE  THE USE OF BIOMETRIC INFORMATION SHALL AGREE TO COMPLY
    46  WITH THE STANDARDS ESTABLISHED BY THE OFFICE AND ALL  STATUTORY  PRIVACY
    47  STANDARDS.
    48    §  212.  PUBLIC  WEBSITE ENCRYPTION. EVERY WEBSITE MAINTAINED BY OR ON
    49  BEHALF OF A GOVERNMENTAL ENTITY SHALL ENCRYPT ALL EXCHANGES  AND  TRANS-
    50  FERS  BETWEEN A WEB SERVER, MAINTAINED BY OR ON BEHALF OF A GOVERNMENTAL
    51  ENTITY, AND A WEB BROWSER OF HYPERTEXT OR OF ELECTRONIC INFORMATION, AND
    52  REQUIRE WEB BROWSERS TO REQUEST SUCH ENCRYPTED EXCHANGE OR  TRANSFER  AT
    53  ALL  TIMES FOR SUCH WEBSITES, PROVIDED THAT SUCH ENCRYPTION SHALL NOT BE
    54  REQUIRED IF SUCH EXCHANGES OR TRANSFERS ARE CONDUCTED IN A  MANNER  THAT
    55  PROVIDES AT LEAST AN EQUIVALENT LEVEL OF CONFIDENTIALITY, DATA INTEGRITY
    56  AND AUTHENTICATION.
        A. 6347                             3

     1    §  3. This act shall take effect one year after it shall have become a
     2  law. Effective immediately, the addition, amendment,  and/or  repeal  of
     3  any  rule  or regulation necessary for the implementation of this act on
     4  its effective date are authorized to be made and completed on or  before
     5  such effective date.