At the end of the year, Pennsylvania will become the third jurisdiction in North America to require that online operators either enact two-factor (2FA) or multi-factor (MFA) authentication — methods designed to verify a player’s identity while also protecting their accounts from hackers.
Last June, the Pennsylvania Gaming Control Board (PGCB) issued a directive to all of its interactive gaming operator licensees, requiring them to implement an MFA method “for each device that a patron uses to access their interactive account” by December 31, 2022, according to PGCB spokesman Doug Harbach.
“The PGCB has been proactive in this area,” Harbach said.
Regulator Gives Operators Three Requirements
MFA is defined as a strong type of authentication, while 2FA is the concept of using two forms of such authentication together in order to verify a person’s identity. The forms of identity are usually broken down into three categories:
- What You Know, also known as knowledge-based authentication, or information known only to an online player — these include passwords, patterns, or answers to questions known only to the player (i.e. — the name of a childhood pet, first address, the name of your second-grade teacher)
- What You Have, or token-based authentication — meaning something in a player’s possession (i.e. — mobile device, legal ID)
- What You Are, aka biometric authentication — anything physical, such as a player’s fingerprint, or identity confirmation through face or voice recognition
According to Harbach, PGCB told operators that each device used by a player will be required to have MFA performed every 14 days — meaning players will need to re-enter their credentials every two weeks. By requiring such information on a regular basis, operators can help ensure that the person who accesses the account is the actual player that owns it.
The regulator also required operators to have annual security checks performed by an independent third-party cybersecurity firm. Such security reviews can identify “any potential vulnerabilities and weaknesses the operator’s platform may have,” Harbach said.
“Operators are required to report the results of the security assessment, along with a detailed remediation plan that must address any considerable risks identified as part of the security assessment.”
PGCB also directed operators to encrypt the personal information of its players on a database under its control. Operators must also ensure that encryption of players’ personal data is strictly enforced and forms an integral part of the aforementioned third-party annual security check.
“The PGCB requires all Pennsylvania operators to perform quarterly vulnerability and penetration tests that check against existing and new IT security risks,” Harbach said.
In Pennsylvania, three operators — betPARX, FanDuel, and Unibet — have already implemented either 2FA or MFA, according to reports.
New Jersey, Ontario Started 2FA/MFA in 2022
Pennsylvania follows New Jersey and Ontario in enacting either 2FA or MFA. Both jurisdictions took that step in 2022.
In New Jersey, the state’s Division of Gaming Enforcement (NJDGE) issued guidelines in March and required operators to begin either 2FA or MFA by June 30. The regulator declined to comment on the new guidelines during the late summer months but did not report any issues in the months since.
North of the border, Ontario’s regulated market for online poker, casino gaming, and sports betting launched on April 4. Gaming is regulated by the Alcohol and Gaming Commission of Ontario (AGCO), and operators in the province must adhere to the AGCO registrar’s Standards for Internet Gaming.
Among the standards — specifically, under “Player Account Maintenance and Transactions” — is a requirement that players, at a minimum, “be given the option to use multi-factor authentication when logging in.”
