NY S01139

Requires all New York governmental entities (state and local agencies, public authorities, SUNY, CUNY, counties, cities, towns, villages) to consider implementing multifactor authentication for network access to email, cloud storage, web applications, databases, and servers, excluding judiciary and legislatures

Defines multifactor authentication as requiring two or more credential types: knowledge-based (passwords/PINs), possession-based (security tokens, key fobs, smartphone apps), or biometric information (fingerprints, facial geometry, iris patterns, voice, gait)

Prohibits governmental entities from requiring biometric information for network access, and bans selling, monetizing, or sharing biometric data with law enforcement without a warrant

Mandates all government websites encrypt data exchanges between web servers and browsers, requiring HTTPS-level protection for all transfers

Authorizes the Office of Information Technology Services to establish technical standards using federal guidelines (NIST, FedRAMP, FISMA, DFARS), including accessibility provisions for individuals with disabilities, and allows two-year waivers for entities upon application

Takes effect one year after becoming law, with rulemaking authority effective immediately