Which Industries Require Two-Factor Authentication (2FA)?

Two-Factor Authentication (2FA) is no longer just a “recommended” security measure. Across industries such as finance, healthcare, government, manufacturing, retail, education, and technology, regulators increasingly expect organizations to implement multi-factor authentication to protect sensitive data and prevent unauthorized access. Two-factor authentication (2FA) or multi-factor authentication (MFA) is explicitly required in some contexts (for example, under PCI DSS and PSD2 SCA) and is often expected or used to meet security obligations under frameworks such as NIST SP 800-171, HIPAA, FERPA, CCPA, or NIS2.

Passwords are still the easiest way for attackers to break in, and cyberattacks keep climbing. That’s why industries everywhere are tightening the rules on authentication. If you’re in banking, healthcare, SaaS, education, or the public sector, knowing when 2FA is required can save you from fines, security breaches, and sleepless nights.

This guide highlights the industries where 2FA or MFA is now expected or legally mandated and the regulations driving those requirements. By the end, you will know exactly what your business needs and how solutions like Rublon MFA make staying secure simple and seamless.

Two-Factor or Multi-Factor Authentication?

Two-Factor Authentication (2FA) is a security measure that requires users to provide two types of identification before accessing their accounts. While not mandatory for every entity in every industry, it is a crucial measure in sectors that handle sensitive data. Let’s delve into the industries that require MFA.

Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) are both security measures required for regulatory compliance. 2FA uses two distinct factors to verify identity, while MFA can involve two or more. Although regulations often mention MFA, they typically require only two factors, so 2FA is also compliant. Whether it’s MFA or 2FA, the goal remains the same: to provide an additional layer of security that makes it harder for unauthorized individuals to access sensitive information.

Some regulations also refer to “strong authentication” (e.g., SCA under PSD2), which in practice typically implies MFA for higher-risk access or transactions.

TL;DR: Do You Need 2FA?

• Finance, government, utilities, and manufacturing — 2FA/MFA is frequently mandatory in practice under frameworks like PCI DSS, NIS2, PSD2, and NIST SP 800-171.
• Retail, trade, healthcare, education, and technology companies — 2FA is strongly recommended or indirectly required through broader frameworks (FERPA, CCPA, GDPR, ISO 27001, HIPAA).
• Most regulations do not specify a vendor — they specify outcomes: strong authentication + resistance to phishing and credential attacks.
• 2FA = compliance shortcut: almost every cybersecurity framework treats MFA as a “best practice baseline” for securing access to sensitive data.
• Rublon MFA helps organizations meet 2FA/MFA requirements across industries thanks to strong authentication factors, phishing-resistant options, and broad integration capabilities.

Which Industries Suffer the Most Data Breaches? (DBIR 2025 Insights)

The chart below shows how confirmed data breaches are distributed across industries based on the Verizon DBIR 2025 dataset. DBIR reports 12,195 verified breaches for the year, but this figure should not be interpreted as the total number of global incidents. The report includes only cases that were confirmed, documented, and fully analyzed by participating organizations, making it a curated statistical sample rather than a complete worldwide count. In reality, the scale of data exposure is far greater. For example, Statista recorded nearly 94 million leaked data records globally in Q2 2025 alone. This context is important: DBIR’s strength lies in showing which industries are most affected and how breaches are distributed, not in estimating the full global volume of attacks.

The Verizon DBIR 2025 Report reports 12,195 total breaches across all industries. Among the selected industries shown here, Manufacturing (1,607) and Healthcare (1,542) had the most breaches, followed by Public Administration (946) and Finance (927).

Which Industries Require 2FA / MFA?

1. Financial Services
2. Healthcare
3. Law Enforcement
4. Defense
5. Government & Public Services
6. Retail
7. Trade
8. Education
9. Technology
10. Legal & Law firms
11. Investment Funds
12. Manufacturing
13. Utilities

2FA & MFA Requirements In Each Industry – A Convenient Table

The table below lists the most common regulations and frameworks that either require or strongly recommend 2FA/MFA in a given industry. Use it as a starting point: the exact requirements depend on your geography, the type of data you process, and whether you operate critical services or regulated systems.

Industry	Key Regulations Requiring or Recommending MFA
Financial Services	PCI DSS, PSD2 (SCA), DORA, GLBA, FTC Safeguards Rule, SOX, SOC 2, BSA, FFIEC IT Handbook, NAIC, NYDFS 23 NYCRR 500
Healthcare	HIPAA, HITECH, EPCS MFA Requirements, NIST SP 800-66, GDPR
Law Enforcement	CJIS Security Policy, NCIC requirements
Defense	DFARS 252.204-7012, NIST SP 800-171, CMMC framework
Government & Public Services	NIST SP 800-63 (Digital Identity), Federal Zero Trust Strategy, NCSA recommendations
Retail	PCI DSS, various data protection laws (GDPR, CCPA)
Trade	C-TPAT
Education	FERPA, HEOA, Australian Privacy Act 1988, PIPEDA
Technology	SOC 2, ISO/IEC 27001, CIS Controls, FedRAMP, NIST SP 800-63
Legal & Law Firms	GDPR, ISO 27001, ABA cybersecurity guidance
Investment Funds	SEBI
Manufacturing	NIST SP 800-171, CMMC, IEC 62443, Industry 4.0 security frameworks, ISO/IEC 27001, GDPR, TISAX
Utilities	NERC CIP, TSA Security Directives, IEC 62443, NIST Cybersecurity Framework (CSF), GDPR

Financial Services

The finance industry has been a pioneer in adopting two-factor authentication (2FA) technology. Financial institutions, including banks and insurance companies, handle sensitive customer data and large monetary transactions daily. As a result, the financial sector needs to implement 2FA to protect against fraud and data breaches.

According to Mordor Intelligence’s MULTIFACTOR AUTHENTICATION (MFA) MARKET SIZE & SHARE ANALYSIS, the banking and financial services sector accounts for 23.95% of the global MFA market, making it the largest industry segment.

Real-Life MFA & 2FA Examples in This Industry

Two prime examples of using Two-Factor Authentication by financial services are ATMs and online banking logins.

The most common example of 2FA in the finance industry is using an ATM. When using an ATM, customers need both their PIN (something they know) and their ATM card (something they have) – a practical example of 2FA.

Another example of Two-Factor Authentication (2FA) in the financial industry is online banking, where customers enter their login and password in the first step and then receive a text message from the bank. The text message contains a short one-time password. The bank asks the customer to enter that password on the login page to gain access to their online banking account.

Two-Factor Authentication (2FA) in Financial Services: Cybersecurity and Compliance Requirements

Depending on their location, financial Institutions must comply with some of the following 2FA security regulations. The scope of jurisdiction is given in square brackets.

PCI DSS [Global]

Organizations that process and store card payment information must comply with the Payment Card Industry Data Security Standard (PCI DSS), an information security standard for organizations that handle branded credit cards. 

• MFA must be immune to replay attacks.
• MFA must protect access to the cardholder data environment (CDE) for all users.
• MFA must be enabled for any remote access via VPN, RDP, VDI, and SSH.
• MFA must be performed twice if the user first connects to the network where the CDE is and then to the CDE itself.
• You cannot repeat the same authentication factor twice, because then it is not MFA
• The latest version of PCI DSS can be viewed here.

The Payment Services Directive 2 (PSD2) [European Union]

All financial institutions in the European Union must comply with the PSD2 directive. This directive primarily applies to payment services providers within the European Economic Area, including payment institutions, credit institutions, e-money institutions, and central banks.

• PSD2 mandates Strong Customer Authentication (SCA), which is a form of multi-factor authentication, to increase the security of electronic payments.
• PSD2 also defines when SCA can be skipped. For example, some contactless payments up to €50 may be exempt, but only until cumulative limits are reached (such as €150 total or 5 consecutive transactions).
• In the case of online payments, it is also necessary to provide the so-called dynamic linking. While the directive’s primary focus is on financial services, its scope can extend beyond traditional financial institutions depending on the nature of the transactions involved. The specific requirements may vary depending on the institution’s risk profile and the regulatory framework in its jurisdiction.

The Digital Operational Resilience Act (DORA) [European Union]

DORA is a European Union regulation that applies to various financial entities. It doesn’t explicitly require multi-factor authentication (MFA), but Article 9 of DORA calls for strong security measures to protect against unauthorized access and data breaches. As such, the use of MFA is the best way to meet these security requirements.

The Gramm-Leach-Bliley Act of 1999 (GLBA) [United States]

The Gramm-Leach-Bliley Act requires financial institutions in the United States – defined as companies that offer financial products or services to consumers, such as loans, financial or investment advice, or insurance – to explain to customers their information-sharing practices and to secure sensitive information to protect the confidentiality and integrity of consumers’ personal data. MFA is not strictly required, but it makes the above much easier.

The FTC Safeguards Rule [United States]

This rule, revised under the Gramm-Leach-Bliley Act (GLBA), mandates that financial institutions under the FTC’s jurisdiction secure private consumer data. Notably, the rule extends to affiliates and service providers of the covered organizations, requiring them to also secure consumer data to FTC standards.

The rule encompasses a broad spectrum of entities, including but not limited to mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors, financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors not required to register with the SEC. Among many of the FTC Safeguards Rule requirements, the most important is the use of Multi-Factor Authentication (MFA) for anyone accessing customer information on the system. 

The Sarbanes-Oxley Act (SOX Act) [United States]

SOX compliance is checked using the International Standard on Assurance Engagements 3402 (ISAE 3402) and the Service Organization Control (SOC) audit framework. Generally, MFA is not mentioned explicitly, but implementing MFA will make it much easier to comply with ISAE 3402 and pass a SOC 2 audit. For example, in the case of SOC 2, MFA will ensure the requirement to secure information from unauthorized access.

The Bank Secrecy Act (BSA) [United States]

While the BSA itself does not explicitly require multi-factor authentication, financial institutions in the U.S. are generally expected to implement MFA or equivalent controls as part of their overall security practices, in line with Federal Financial Institutions Examination Council (FFIEC) guidance.

FFIEC IT Examination Handbook [United States]

The FFIEC IT Handbook AIO Booklet, which is a part of the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook, contains information on the use of multi-factor authentication within the context of Remote Access:

• “Implement IAM based on job type and access and use appropriate authentication techniques (e.g., multi-factor authentication) for privileged access and activities, such as remote administration tasks.)”
• “Uses multi-factor authentication over encrypted network connections for administrators accessing and managing network devices.).”
• Procedure for mainframe security software: “Implements access controls (e.g. role-based access, segregation of duties, and multi-factor authentication).”

The National Association of Insurance Commissioners (NAIC) [United States]

The Risk Management section says: “Utilize effective controls, which may include Multi-Factor Authentication procedures for any individual accessing Nonpublic Information; ”. This means that even though MFA is not enforced, it is one of the best options for obtaining NAIC compliance.

The NYDFS Cybersecurity Regulation [United States]

Also known as the “New York State Department of Financial Services, Cybersecurity Requirements for Financial Services Companies” (23 NYCRR 500), which contains an entire section on MFA (Section 500.12 Multi-Factor Authentication). This regulation requires MFA:

• MFA should protect against unauthorized access to non-public information and IT systems.
• MFA must be enabled for each user who accesses resources on the internal network from an external network.

MFA for Finance: Sign up for a Free 30-Day →

Healthcare

The healthcare sector deals with sensitive patient data, making security paramount. The Health Insurance Portability and Accountability Act (HIPAA) was established to protect an individual’s healthcare information. Under HIPAA, healthcare organizations are required to implement measures to enforce password security and protect patient data. In addition to that, organizations must ensure that their access control and authentication systems meet the HIPAA requirements. Two-Factor Authentication (2FA) is an ideal solution to comply with these requirements. Apart from HIPAA, it is important to ensure EPCS compliance whenever required and safeguard EHR applications.

Two-Factor Authentication (2FA) in Healthcare: Cybersecurity and Compliance Requirements

Depending on their location, healthcare must comply with some of the following 2FA security regulations. The scope of jurisdiction is given in square brackets.

Health Insurance Portability and Accountability Act (HIPAA) [United States]

While Multi-Factor Authentication is not explicitly mentioned in HIPAA, the implementation of MFA will meet the authentication and access control requirements defined in the document, provide secure access to ePHI, and allow you to repair vulnerabilities detected during a risk assessment regarding information access management (IAM) of a given organization.

The Health Information Technology for Economic and Clinical Health Act (The HITECH Act) [United States]

This act can be seen as a more expanded version of HIPAA that strengthens regulations for the Privacy and Security Rules of HIPAA. In doing so, HITECH adds more technical requirements to hospitals and doctors who use electronic health records. While it does not explicitly enforce using Multi-Factor Authentication, MFA is one of the best ways of complying with the HITECH Act. 

Electronic Prescriptions for Controlled Substances (EPCS) Compliance [United States]

This compliance involves e-Prescribing (eRx) and contains an explicit requirement for MFA (called two-factor authentication). MFA requirements in EPCS are as follows:

• MFA must be used to assign a prescriber in the electronic system, validate the entry on the prescription, and place a digital signature on the prescription.
• Allowed components are login/password, biometric methods, and OTP hard token or YubiKey hard token. Hard tokens must meet FIPS 140-2 Security Level.

NIST SP 800-66 Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide [United States]

The National Institute of Standards and Technology (NIST) provides guidelines for healthcare cybersecurity, including the protection of electronic health information, mentioning “stringent access controls”, such as multi-factor authentication (MFA).

General Data Protection Regulation (GDPR) [European Union]

For healthcare providers operating in the European Union, the GDPR imposes strict rules on controlling and processing personally identifiable information. Although the General Data Protection Regulation (GDPR) does not specifically mandate the use of Multi-Factor Authentication (MFA), the European Union Agency for Cybersecurity (ENISA) has issued guidelines suggesting the use of Two-Factor Authentication. This is particularly recommended for systems handling personal data and for accessing mobile devices, as outlined in Items K.7 and Q.8 of their guidelines. The GDPR applies to organizations anywhere if they target or collect data related to people in the European Union.

MFA for Healthcare: Sign up for a Free 30-Day →

Law Enforcement

In the realm of law enforcement, the handling of sensitive and critical information is a daily occurrence. Given the nature of their work, these agencies require top-tier security measures to protect information from unauthorized access and potential breaches.

One such measure is Two-Factor Authentication (2FA), which has become an integral part of the security protocols in law enforcement agencies.

For instance, U.S. law enforcement agencies that collaborate with the FBI’s Criminal Justice Information Services (CJIS) division have adopted robust security systems that include the so-called “advanced authentication”, de facto Multi-Factor Authentication. This enhanced security measure ensures that only authorized personnel can access sensitive information.

Moreover, accessing certain databases, such as the National Crime Information Center (NCIC), necessitates the completion of 2FA. The NCIC database, which contains a wealth of sensitive criminal justice information, requires an additional layer of security to protect the data and maintain its integrity.

In essence, the use of 2FA in law enforcement strengthens the security of their systems and plays a crucial role in maintaining public trust by ensuring that sensitive information remains confidential and secure.

MFA for Law Enforcement: Sign up for a Free 30-Day →

Defense

The defense sector is a critical area where enhanced security measures, such as Two-Factor Authentication (2FA), are essential due to the sensitive nature of the information involved.

A prime example of this is the U.S. military’s use of Common Access Cards (CACs) for their personnel. A CAC is a type of smart card that serves as the standard identification for active-duty military personnel, Selected Reserve, Department of Defense (DoD) civilian employees, and eligible contractor personnel.

The CAC embodies the principles of MFA. The first factor is the physical card, which the user must have in their possession to access systems (something you have). The second factor is a Personal Identification Number (PIN) that the user must memorize (something you know). In some instances, biometric data, such as fingerprints, can serve as a third factor (something you are).

This multi-factor authentication approach ensures a high level of security. It significantly increases the difficulty for unauthorized individuals to gain access to sensitive defense systems and data.

The defense sector needs to abide by the following cybersecurity regulations that require MFA:

Defense Federal Acquisition Regulation Supplement (DFARS) [United States]

While this document does not explicitly state the need for multi-factor authentication (MFA), clause 252.204-7012 emphasizes the necessity for “adequate security” on all systems processing covered defense information. The term “adequate security” suggests the implementation of protective measures that align with the risk of loss, misuse, or unauthorized access or modification of information. Although MFA isn’t directly mentioned, it’s widely recognized as a standard practice for achieving “adequate security”. Organizations are permitted to use any MFA solution that aligns with the standards outlined in the NIST SP 800-171 framework. It is worth noting that  Cybersecurity Maturity Model Certification (CMMC) is based on DFARS. 

NIST SP 800-171 [United States]

Based on White House Executive Order 13556, all DFARS contractors must additionally meet NIST SP 800-171, which describes security requirements for Controlled Unclassified Information (CUI). One of these requirements is MFA for all users accessing the CUI (“3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.”).

MFA for Defense: Sign up for a Free 30-Day →

Government & Public Services

Government agencies and public administration manage a substantial amount of sensitive data. This data spans from national security information and internal government systems to citizen services and personal data. Given the nature of this information and the scale of access across departments and contractors, the public sector must employ strong authentication to reduce the risk of account takeover and unauthorized access.

European Union

In the European Union, the public sector processes large volumes of sensitive information, from citizen data to information related to critical infrastructure. For that reason, public administrations are expected to implement strong authentication mechanisms to reduce the risk of unauthorized access and account takeover. These expectations are driven by, among others, NIS2, GDPR, eIDAS, and national interoperability frameworks adopted by Member States. While not all of these legal acts mention MFA explicitly, they consistently require “strong authentication”, which in practice means multi-factor authentication.

Across EU public services, MFA is widely used to protect access to government portals, digital identity services, and internal administrative systems. This reflects both EU-level regulatory direction and the practical need to protect public-sector systems and citizen data from cyber threats.

Beyond cross-industry instruments (such as NIS2, eIDAS, and GDPR described in Cross-Industry Regulations), public administrations often need to meet additional national interoperability and ICT minimum-security requirements, which typically include:

• strong authentication mechanisms,
• access control,
• securing remote access.
• In audit practice, “strong authentication” is commonly interpreted as MFA.

USA + Global

The National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce, offers guidelines for implementing 2FA. These guidelines assist government agencies in establishing secure authentication practices and protecting sensitive information.

In addition to NIST, the National Cyber Security Alliance (NCSA) also advocates for the use of 2FA. The NCSA provides resources and guidance to help organizations understand and implement 2FA, further enhancing the security of their systems.

This shift towards more secure authentication methods reflects the growing recognition of the importance of cybersecurity in protecting government data and systems. This is in line with the Federal Zero Trust Strategy Memorandum, which required all federal agencies to deploy phishing-resistant MFA by the end of 2024.

MFA for Government: Sign up for a Free 30-Day →

Retail

The retail industry handles a vast amount of customer data, including financial details. Therefore, retailers need to implement robust security measures to protect this data and maintain customer trust.

Two-Factor Authentication (2FA) is one such measure that has become increasingly common in the retail industry. 2FA enhances security by requiring users to provide two distinct forms of identification before granting access to systems. This additional layer of security helps protect against unauthorized access and potential data breaches.

A key standard that the retail industry must adhere to is the Payment Card Industry Data Security Standard (PCI DSS). This standard ensures the secure handling of credit card information and mandates that retailers implement strong access control measures, one of which can be 2FA.

The PCI DSS is overseen by the Payment Card Industry Security Standards Council and is required by major credit card brands. It was developed to better manage cardholder data and reduce credit card fraud. Compliance with PCI DSS is validated annually or quarterly, depending on the volume of transactions.

MFA for Retail: Sign up for a Free 30-Day →

Trade

The Trade industry in the US must abide by the Customs-Trade Partnership Against Terrorism (C-TPAT) regulation. In section 4.8, the CTPAT Minimum Security Criteria recommends using Multi-Factor Authentication (MFA) to meet the requirement for a strong authentication process. Moreover, section 4.9 gives MFA as one of the possible ways to meet the remote access protection criterion.

MFA for Trade: Sign up for a Free 30-Day →

Education

Educational institutions often need 2FA to meet compliance standards, such as:

• The Family Educational Rights and Privacy Act (FERPA): This act of the United States emphasizes the importance of safeguarding student education records. It suggests that single-factor authentication may not be sufficient for protecting highly sensitive information, implying the need for multi-factor authentication. The US Department of Education (DoE) refers to NIST SP 800-63, effectively requiring MFA. PIPEDA is the Canadian equivalent of FERPA.
• The Higher Education Opportunity Act (HEOA): This is another U.S. law that necessitates secure login credentials for students in higher education institutions. This often involves the use of multi-factor authentication.
• Australia’s Privacy Act 1988: While this act does not explicitly mandate multi-factor authentication, it recommends MFA as a security measure to verify the identity of the person requesting a transaction.

MFA for Education: Sign up for a Free 30-Day →

Technology

There’s no single, consistent regulation mandating 2FA in the technology sector, but many broader security standards—such as NIST SP 800-63, FedRAMP, ISO/IEC 27001, SOC 2, and CIS Controls—require or recommend implementing multi-factor authentication. Technology companies, especially cloud and SaaS providers, must implement MFA to meet audit requirements, protect user data, and maintain compliance with global security standards.

FedRamp

The Federal Risk and Authorization Management Program (FedRAMP), based on NIST SP 800‑53, requires the use of multi‑factor authentication (MFA) as a mandatory control rather than a recommended practice.

The key controls are IA‑2, IA‑2(1), IA‑2(2), IA‑2(3), and IA‑2(11). They mandate the implementation of MFA for:

• all privileged accounts,
• all users accessing systems remotely,
• all users accessing federal information systems,
• and for administrative access to cloud service management interfaces.

FedRAMP also requires MFA to comply with the criteria defined in NIST SP 800‑63B, which means prioritizing phishing‑resistant MFA methods such as FIDO2/WebAuthn, PIV/CAC certificates, or cryptographic hardware keys. The requirement applies to all cloud systems handling U.S. government data, and the absence of MFA makes it impossible for a service provider to obtain FedRAMP authorization.

MFA for Technology: Sign up for a Free 30-Day →

Legal & Law Firms

Law firms, like other industries, are increasingly adopting 2FA for enhanced security. Law firms often implement 2FA to protect sensitive client information and case details.

The American Bar Association’s cybersecurity guidelines, particularly ABA Formal Opinion 477R and ABA Model Rules of Professional Conduct Rule 1.6(c), state that attorneys are obligated to implement “reasonable measures” to protect the confidentiality of client information. In practice, this requires adopting security controls proportionate to the level of risk, and multi-factor authentication (MFA) is identified as one of the key mechanisms for reducing the likelihood of account compromise.

Formal Opinion 477R emphasizes that law firms should employ “enhanced security measures,” including multi‑factor authentication, especially when accessing email, document management systems, cloud services, and any systems containing client data.

Although the ABA does not formally mandate any specific technology, it makes clear that the absence of MFA may be considered a breach of ethical duties if it contributes to a security incident. As a result, the context for implementing multi‑factor authentication encompasses all systems that store information protected by attorney-client privilege or other professional confidentiality obligations.

MFA for Law Firms: Sign up for a Free 30-Day →

Investment Funds

As per the Securities and Exchange Board of India (SEBI) guidelines, 2FA is mandated for all digital transactions related to mutual funds. This ensures the security of investors’ funds and personal information.

Other regulatory requirements for investment funds generally mirror those applicable to the broader financial services sector, including mandatory or strongly recommended use of MFA.

MFA for Investment Funds: Sign up for a Free 30-Day →

Manufacturing

Manufacturing organizations sit at the intersection of IT and OT: corporate networks, engineering workstations, vendor remote access, and industrial control systems (ICS) that keep production running. That mix creates a large attack surface, especially around privileged accounts, remote access, and maintenance sessions. As a result, many manufacturing-focused security frameworks and supply-chain requirements push organizations toward multi-factor authentication (MFA) as a baseline control for preventing unauthorized access and reducing the blast radius of credential compromise.

Real-Life MFA & 2FA Examples in This Industry

Two practical examples of MFA use in manufacturing are remote access to plant environments and privileged access for engineering and maintenance.

A common example is vendor/employee VPN access to internal networks or OT support jump hosts. The user first authenticates with a password (something they know) and then approves a second factor (something they have/are), such as a push notification, hardware token, or passkey.

Another example is elevated access to engineering tools and administrative consoles (e.g., SCADA/HMI management, historians, OT remote access gateways). MFA helps ensure that even if credentials are stolen, attackers can’t easily gain control over production-critical systems.

Multi-Factor Authentication (MFA) in Manufacturing: Cybersecurity and Compliance Requirements

Depending on the type of manufacturing (e.g., defense supply chain, automotive supply chain, Industry 4.0 / smart factories), manufacturers may be expected to align with some of the following MFA-related standards and assessment schemes. The scope of jurisdiction is given in square brackets.

ISA/IEC 62443 (Industrial Automation and Control Systems Security) [Global / OT-ICS]

IEC 62443 is a cornerstone standard series for securing industrial automation and control systems (IACS). It’s commonly used by manufacturers to structure OT security programs (zones/conduits, system requirements, component requirements) and is frequently referenced in OT security governance and procurement. ISA notes that the series provides best practices and a way to assess security performance.

In the context of industrial remote access, IEC 62443-3-3 includes requirements that are often implemented via MFA, e.g., employing MFA for human access to Machine Control Panels (HMI).

Industry 4.0 Security Frameworks [Primarily EU, used globally as guidance]

Industry 4.0 initiatives formalize how cyber-physical production systems connect data, devices, and services. Manufacturing security guidance tied to Industry 4.0 emphasizes “security by design” and systematic security architecture as factories become more connected. The Plattform Industrie 4.0 publication “Security in RAMI 4.0” is a widely cited reference in this space.

While it’s not a law, it strongly influences manufacturing security programs and reinforces MFA as part of robust identity and access controls around connected production systems.

TISAX / VDA ISA [Europe-centric but global supply chains]

TISAX is the de facto information security assessment scheme for automotive OEMs and suppliers, based on the VDA Information Security Assessment (VDA ISA) catalogue and operated via the ENX ecosystem. The ENX portal provides the official VDA ISA questionnaire downloads used as the basis for TISAX assessments.

In practice, automotive manufacturers and suppliers adopt MFA to satisfy identity/access expectations embedded in these assessment requirements, especially where sensitive development data, prototypes, or supplier portals are involved.

MFA for Manufacturing: Sign up for a Free 30-Day →

Utilities

Utilities are critical infrastructure operators running a blended IT/OT environment: enterprise networks, field devices, SCADA systems, control centers, and remote access paths used by operators, engineers, and third-party maintainers. Because disruptions can impact public safety and continuity of essential services (power, gas, water, wastewater), the utilities sector places heavy emphasis on controlling privileged access and remote connectivity. In practice, sector rules and directives increasingly treat multi-factor authentication (MFA) as a baseline safeguard against credential theft, unauthorized remote sessions, and lateral movement into control environments.

Two practical examples of MFA use in utilities are remote operator/vendor access to control environments and privileged access to SCADA/OT administration.

A common example is remote access into an electric utility’s control-center environment through an intermediate system (jump host) or remote access gateway. The user authenticates with a password (something they know) and then completes a second factor (something they have/are), reducing the likelihood that stolen credentials alone grant entry.

Another example is administrative access to SCADA servers, OT remote access solutions, or operator consoles. MFA adds a friction point that helps prevent attackers from taking over production-critical operations even if a password is compromised.

Two-Factor Authentication (2FA) in Utilities: Cybersecurity and Compliance Requirements

Depending on the utility segment (e.g., bulk electric system operators, pipeline operators, drinking water and wastewater utilities), utilities may be expected to align with some of the following MFA-related regulatory requirements and sector schemes. The scope of jurisdiction is given in square brackets.

NERC CIP [United States & Canada]

NERC CIP standards govern cybersecurity for entities operating elements of the Bulk Electric System (BES). CIP-005-7 focuses on the Electronic Security Perimeter (ESP) and remote access controls, and it is widely referenced as a compliance driver for hardened remote access architectures in power utilities. The current CIP-005-7 text and applicability language are published by the North American Electric Reliability Corporation (NERC).

In practice, CIP remote access obligations are commonly implemented with MFA for interactive remote access into ESP environments, particularly for sessions originating from outside the ESP (e.g., vendor access paths).

TSA Security Directive Pipeline-2021-02C [United States]

The U.S. Transportation Security Administration (TSA) issues pipeline cybersecurity Security Directives under federal authority to address cyber threats to critical pipeline systems. SD Pipeline-2021-02C continues mandatory cybersecurity measures for covered pipeline owners/operators (those notified by TSA as “critical”).

For utilities operating pipeline infrastructure, these directives are a key compliance pressure point that typically results in stronger access controls, including MFA (or equivalent layered controls) for remote/privileged access and other high-risk pathways into operational environments.

AWWA Cybersecurity Guidance [United States]

For drinking water and wastewater utilities, the American Water Works Association (AWWA) maintains a dedicated cybersecurity guidance hub and sector risk-management guidance aimed at protecting utility process control systems and related environments.

Although this is guidance rather than a law, it is frequently used by water utilities as a practical reference point for implementing controls (including multi-factor authentication) in OT/PCS environments.

NIS2 Directive (Directive (EU) 2022/2555) [European Union]

The NIS2 Directive explicitly targets essential sectors that map directly to utilities. Energy, drinking water, and wastewater are in scope as critical infrastructure sectors in the Directive’s annexes and recitals.

While NIS2 is a broader cybersecurity directive (not an “MFA-only” rule), its risk-management and access-control expectations in essential sectors commonly translate into deploying MFA for remote access, administrative access, and other high-risk authentication scenarios in utility environments.

MFA for Utilities: Sign up for a Free 30-Day →

Cross-Industry Regulations

There are some other compliance requirements and regulations that do not apply strictly to just one sector but are nevertheless important if not downright mandatory for the industries mentioned in this article. Depending on their location, businesses might be required to abide by the following.

ISO/IEC 27001 [Global]

Multi‑factor authentication (MFA) can be used to meet the Access Control Policies in A.5.15 Access control requirements, among others. MFA is considered a strong authentication mechanism that supports several ISO 27001 controls, including secure user access management, protection of privileged accounts, and safeguarding access to sensitive information. While ISO 27001 does not mandate MFA explicitly, it is widely recognized as a best practice for reducing unauthorized access risks and strengthening compliance with Annex A controls.

CIS Controls v8 – Center for Internet Security [Global]

In CIS Controls v8, multi‑factor authentication (MFA) is classified as a foundational security control, required as early as IG1 (Implementation Group 1), which represents the minimum security baseline for any organization. The most relevant controls include:

• Control 6.3 – Require MFA for Remote Network Access,
• Control 6.5 – Require MFA for Administrative Access,
• Control 6.6 – Require MFA for Access to Third‑Party Applications,
• as well as parts of Control 5 (Account Management) and Control 3 (Data Protection).

CIS requires MFA for all privileged accounts, remote access, access to SaaS applications, and systems containing sensitive data. The scope of this requirement is broad: CIS Controls apply to organizations across all industries, and MFA is treated as an absolute minimum security standard rather than an advanced practice.

NIST SP 800‑63 – Digital Identity Guidelines [Global]

NIST SP 800‑63B defines the technical requirements for digital identity and authentication across three assurance levels: AAL1, AAL2, and AAL3. Multi‑factor authentication (MFA) is required at AAL2 and AAL3, which apply to most U.S. government systems as well as regulated sectors worldwide.

The standard specifies which authentication methods are acceptable at each level and emphasizes the use of phishing‑resistant mechanisms (such as FIDO2/WebAuthn authenticators, cryptographic hardware keys, or certificate‑based authentication), particularly at higher assurance levels.

Although NIST is a U.S. standards body, SP 800‑63 has become a globally recognized reference framework, influencing security requirements in government, finance, healthcare, and other regulated industries all around the world. As a result, MFA aligned with AAL2/AAL3 is widely treated as a baseline expectation for systems handling sensitive or high‑risk data.

SOC 2 – Service Organization Control 2 [Global]

SOC 2 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA), designed to evaluate how organizations manage customer data across five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

While SOC 2 does not explicitly mandate multi‑factor authentication (MFA) by name, the framework requires “strong authentication” for logical access controls. In practice, strong authentication is interpreted by auditors as MFA, making MFA a de facto requirement for meeting the Security (Common Criteria) controls.

The most relevant SOC 2 criteria that require or strongly imply MFA include:

• CC6.1 – Logical Access Controls: Organizations must implement strong authentication mechanisms for access to systems and data.
• CC6.2 – User Access Provisioning: Privileged and administrative accounts must be protected with enhanced authentication.
• CC6.6 – Remote Access Security: Remote access must use secure authentication methods, typically MFA.
• CC7.2 – Change and Configuration Management: Administrative access to production systems must be tightly controlled, which in practice requires MFA.

In SOC 2 audits, MFA is treated as a baseline expectation for:

• privileged accounts,
• administrative access,
• remote access,
• access to production systems,
• access to systems storing customer data.

SOC 2 applies across all industries globally. It is not sector‑specific, and MFA is considered a fundamental requirement for achieving SOC 2 compliance.

General Data Protection Regulation (GDPR) [European Union]

While MFA is not explicitly required to comply with GDPR, it is worth noting that the European Union Agency for Cybersecurity (ENISA) has published guidelines that recommend using Two-Factor Authentication as the preferred method of access to systems that process personal data and access to mobile devices (Items K.7 and Q.8).

The NIS2 Directive [European Union]

Essential and important entities that operate within the European Union (EU) are obligated to adhere to the NIS2 Directive as transposed into national law. The NIS2 Directive is a legislative framework in the EU that mandates member states and essential businesses to comply with specific cybersecurity measures, including the use of multi-factor authentication for secured voice, video, and text communications, as well as secured emergency communication systems within the entity, where appropriate.

Organizations can utilize MFA to satisfy these requirements:

• Securing internal communication systems with MFA for NIS2 compliance
• Granting temporary access with MFA for NIS2 directive compliance
• Improve supply chain security with MFA for NIS2 Directive compliance

EU Cybersecurity Act [European Union]

The EU Cybersecurity Act impacts various EU sectors dealing with ICT products, services, or processes. While the act itself doesn’t mandate Multi-Factor Authentication (MFA), ENISA guidelines recommend its use, just like in the case of GDPR.

electronic IDentification, Authentication and Trust Services (eIDAS) [European Union]

This is a comprehensive framework that applies to various sectors within the European Union but also to non-EU businesses that cater to EU customers. eIDAS is particularly relevant for businesses, public administrations, and individuals who participate in electronic transactions or utilize electronic identification systems. The regulation introduces Levels of Assurance (LoA), which are categorized into three levels: Low, Substantial, and High. In practice, many eIDAS implementations at LoA Substantial use multi-factor authentication or equivalent controls to reach the required assurance, depending on the notified scheme. At LoA High, implementations typically require stronger protections (often hardware-backed) and higher assurance processes; whether a specific device meets LoA High depends on the eID scheme and its assurance evidence.

New York SHIELD Act [United States]

Enabling multi‑factor authentication (MFA) can help increase security and protect sensitive information. The SHIELD Act requires organizations handling private data of New York residents to implement “reasonable safeguards,” and MFA is recognized as one of the most effective measures for preventing unauthorized access. While not explicitly mandated by name, MFA is strongly recommended as part of the administrative, technical, and physical controls required under the Act.

The California Consumer Privacy Act (CCPA) [United States]

This act applies to businesses in California, especially those handling personal data of residents. While it doesn’t explicitly require multi-factor authentication (MFA), it mandates reasonable security measures to protect users’ personal information. Implementing MFA can help meet these requirements.

How to Maintain Regulatory Compliance In All These Sectors?

Navigating the complex landscape of regulatory compliance across various industries can be challenging. One key aspect of choosing the right MFA provider is ensuring it meets the diverse requirements outlined in various regulations.

Rublon MFA stands out as an excellent choice for businesses seeking to achieve regulatory compliance. It offers robust security features that align with the standards set by numerous regulatory bodies. Whether you’re operating in the financial sector under the scrutiny of the DORA, PCI DSS, GLBA, or SOX, or must comply with the NIS2 Directive, HIPAA, or FTC Safeguards Rule, Rublon MFA has got you covered.

Achieve Regulatory Compliance With Rublon MFA

Don’t just take our word for it. Experience the benefits of Rublon MFA for yourself. Click the Start Free Trial button to begin your free 30-day trial of Rublon MFA, and take the first step towards enhanced security and regulatory compliance today.

Conclusion

While 2FA is not mandatory across all industries, it is a crucial security measure in sectors handling sensitive data. By requiring an additional layerr of authentication, 2FA provides an extra line of defense, making it harder for unauthorized individuals to access restricted information and systems.

All in all, it is a good idea to enable Multi-Factor Authentication (MFA) for all your employees, regardless of the industry your business belongs to. Even if MFA is not mandatory yet, it will be soon, so it is a good idea to prepare yourself beforehand.

FAQ – Two-Factor Authentication Requirements Across Industries