Multi-Factor Authentication (MFA)

ON THIS PAGE:

What's New

Effective July 25, 2025, FINRA will retire three (3) multi-factor authentication (MFA) options that FINRA Entitlement Program accounts currently use to verify access:   

  1. phone calls (landline or cell);
  2. text messages (SMS); and
  3. fingerprint/facial recognition (Windows Hello/Touch ID).  

FINRA is committed to protecting the integrity and confidentiality of the data and systems organizations use. As FINRA upgrades its security posture against evolving phishing and cyberattacks and to reduce the risk of data breaches, it is necessary to retire these three options. In addition, FINRA is required to make these updates to comply with Zero Trust Architecture to protect data, applications, and networks.  

On and after July 25, 2025, users who use phone calls, text messages or fingerprint/facial recognition as their MFA option will need to choose one of the following compliant options:  

  1. Duo Verified Push Notifications on their smart phone or tablet 
  2. Duo Mobile Passcode Notifications on the Duo application  
  3. Security Key Verification using a supported USB security key  

Users using a phone (landline or cell) device will be required to download the Duo application to a smartphone or tablet or purchase a security key device before July 25, 2025, to prevent interruption in their access.

To change to an allowed MFA option, log into FINRA Gateway, click ‘Continue to MFA’ select ‘Other Options’, select one of the MFA options and follow the instructions to complete the log in process.  

To add an additional MFA device, log into FINRA Gateway, click ‘Continue to MFA’ select ‘Other Options’, select ‘Manage Devices’ and follow the instructions. You will be prompted to verify your current MFA option before being allowed to add a new MFA device.

FINRA strongly encourages users to update their MFA option prior to July 25, 2025, to prevent delays in accessing applications on the FINRA Entitlement Program and work disruptions.

FINRA MFA Guide (PDF 1 MB)

What is MFA?

Multi-factor authentication (MFA) is an additional layer of security beyond the user ID and password that enhances security of your account, using another device to verify identity. This additional security control is provided by the vendor Cisco Duo.

Users can enroll with a smartphone, tablet or security key to initiate MFA. You will be directed to the Duo website to complete MFA.

The enrollment steps only need to be completed once per account.

FINRA systems protected by MFA can be accessed from Windows or Mac computers running on one of the latest versions of the operating system. Duo Mobile app works with iOS and Android. Please note that end-of-life versions of operating systems are not supported and access will be blocked.

Devices using end-of-life operating systems are blocked from accessing FINRA systems. You will not be able to access FINRA systems until you upgrade to a supported version of an operating system. Please consult your IT provider for more information related to end-of-life operating systems.

Please contact the FINRA Support Center if you have questions about this implementation.

Sharing account credentials to access FINRA systems violates FINRA security policy and is strictly prohibited. An account must be used only by the person for whom it is created.

Frequently Asked Questions

1Q: Why has FINRA implemented MFA?

1A: Multi-factor authentication or MFA is one of the most effective security controls currently available to protect an organization against remote security attacks. If the credentials of a user are compromised, during the log in process, MFA can prevent a security breach through an additional verification process.

FINRA is committed to protecting its organizations’ data and systems from being exposed to security vulnerabilities. Therefore, FINRA has mandated the use of MFA as an additional verification step for users logging into FINRA systems.

2Q: How does MFA benefit my organization?

2A: MFA adds a second layer of security, helping the account stay secure even if the password is compromised. Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked and a user might not even know someone is accessing their account.

This second factor of authentication is separate and independent from an account’s username and password.

3Q: Is MFA mandatory?

3A: Yes, all active users from authorized organizations on the FINRA Entitlement Program must follow FINRA’s MFA requirement. Organizations that use single sign on (SSO), must use their organization’s MFA that meets FINRA’s Technical Requirements.

4Q: What are the compliant MFA Options with the July 25, 2025 MFA Change?

  • Verified Duo Push requires a verification code to be entered into the Duo Mobile Application to complete authentication. Users will have 60 seconds to enter the code from when it is displayed.
  • Security Key is a digital service on a personal device or a physical device that allows users to authenticate through the MFA process. If a user decides to purchase and use a physical security key, MFA is completed by inserting the security key into the USB port on the computer and, if needed for the model used, the user taps the security key or presses the security key button.
    • Information on using a digital security key, such as Passkey, please visit How to Set Up a Passkey.
    • The user must have a supported security key. Duo MFA supports WebAuthn/FIDO2 security keys such as those offered by Yubico and Feitian. U2F. Only Security keys such as Yubikey NEO-n are not supported with Firefox.
    • FINRA does not endorse any specific security key vendor or model and recommends that organizations perform adequate testing to ensure that the device they intend to use is compatible with Duo MFA for FINRA. More information on Duo-compatible security keys is available on Duo’s website.
  • Duo Mobile Passcode requires a verification code to be entered into the FINRA log in page to complete authentication.
  • ByPass Code is provided on an exception basis by the FINRA Support Center when a user is experiencing issues with their mobile device and only after the user has provided accurate responses to all security questions. 

5Q: Will I be required to re-enter identifying information to reauthenticate each time I log in?

5A: If the same computer and browser are used within a 24-hour timeframe to access FINRA systems, you will not be required to re-enter identifying information to re- authenticate each time you log in.

6Q: Which computers support FINRA MFA?

6A: FINRA websites protected by MFA can be accessed from Windows or Mac computers running on one of the latest versions of the operating system. 

7Q: What do I do if I lost my phone?

7A: It is strongly recommended that you delete the lost device from your MFA settings; however, you must have at least two registered devices in order to delete the old one. Enroll your new device, then use Manage Devices to delete your lost or stolen phone as described in Section 4 of the FINRA MFA Guide.

If you are not able to log in to Duo Mobile at all, contact the FINRA Support Center at (301) 590-6500 to have MFA from your missing phone disabled and to get a one-time passcode so you can log on using that passcode.

8Q: How do I reactivate Duo Mobile?

8A: If you get a new phone, you will need to re-activate Duo Mobile. You may add and enroll your new device by using Manage Devices as described in Section 3 of the FINRA MFA Guide. Otherwise, contact the FINRA Support Center at (301) 590-6500 to reactivate Duo Mobile.

9Q: Why am I not receiving Push Notifications from Duo Mobile?

9A: You may have trouble receiving verified push notifications if there are network issues between your phone and the Duo Mobile service. Many phones have trouble determining whether to use the WIFI or cellular data channel when checking for push notifications. To resolve this issue, if you have a reliable internet connection, turn the phone to airplane mode and then turn off airplane mode to return the phone to its normal operating mode. Similarly, the issue may be resolved by turning off the WiFi connection on your device and using the cellular data connection.

If the actions above do not resolve the issue, check the time and date on your phone and make sure they are correct. If the date and time on your phone are manually set, try changing your device's configuration to sync date and time automatically with the network.

If you cannot get Duo Push working on your own, log in with other options available in the Duo Mobile application. Refer to Section 2 of the FINRA MFA Guide for details.

10Q: Can usernames or passwords be shared among multiple users within a firm?

10A: Sharing account credentials to access FINRA systems violates FINRA security policy and is strictly prohibited. An account must be used only by the person for whom the account was created.

Need Help?

If you need assistance using MFA, contact the FINRA Support Center at: 

Broker Dealers - (301) 869-6699 
Funding Portals - (800) 321-6273 
Investment Advisors - (240) 386-4848                                                                                       
General Inquires - (301) 590-6500

Request Scheduled Call Back