NY A07331

Requires every governmental entity to implement multifactor authentication whenever possible and feasible for local and remote network access to email accounts, cloud storage, web applications, networks, databases, and servers.

Defines multifactor authentication as using two or more types of identification credentials including knowledge-based (passwords/PINs), possession-based (security tokens/smartphones), and inherence-based credentials (fingerprints/facial recognition).

Prohibits governmental entities from requiring inherence-based credentials for network access and bans selling, monetizing, or sharing biometric data with law enforcement without a warrant.

Directs the Office of Technology to establish technical standards referencing National Institute of Standards and Technology, FedRAMP, FISMA, and DFARS guidelines, and allows waivers valid for no longer than two years.

Requires all governmental entity websites to encrypt all data exchanges between web servers and browsers unless equivalent security measures are provided.