» FHA’s New Phishing-Resistant MFA Becomes Mandatory October 27

Back To Compliance Digest

FHA’s New Phishing-Resistant MFA Becomes Mandatory October 27 — Here’s What You Need to Know

October 25, 2025

The Federal Housing Administration (FHA) is tightening its cybersecurity protocols. Beginning Monday, October 27, 2025, all FHA Connection (FHAC) users will be required to implement a phishing-resistant multi-factor authentication (MFA) method to continue accessing the platform.

This new authentication requirement was announced in FHA INFO 2025-44 and replaces the MFA process previously communicated in late 2023. The change is part of FHA’s broader effort to strengthen identity management, enhance data protection, and reduce exposure to phishing and credential-based attacks.

1.What’s Changing and Why It Matters

Phishing scams (through email, text, calls, or social media) continue to pose one of the largest cybersecurity risks to lenders and financial institutions. These attacks often attempt to trick users into entering credentials on fraudulent sites or downloading malware.

FHA’s new phishing-resistant MFA is designed to close these vulnerabilities by ensuring that access to FHA systems cannot be gained using stolen usernames or passwords alone. Instead, users must authenticate with a trusted device or biometric factor through OKTA FastPass or FIDO2 authentication.

This additional layer of security aligns FHA with the federal government’s broader movement toward zero-trust architecture and compliance with OMB Memorandum M-22-09, which requires federal systems to adopt phishing-resistant MFA standards.

2.Who This Affects

The requirement applies to all individual users accessing FHA Connection directly via the web portal. Those who connect to FHAC via Business-to-Government integrations (such as Encompass) are not affected and can continue operating without changes to their login process.

3.Implementation Checklist

To avoid access issues on October 27, users should complete setup this week:

1. Choose Your Authentication Option:

◊ OKTA FastPass (Recommended):Use the OKTA Verify app on your workstation or mobile device.
◊ FIDO2 Authentication:Use Windows Hello, Touch ID, or an equivalent biometric or hardware-based option.

2. Download and Install: InstallOKTA Verify from the Windows Installer or your device’s app store.

3. Configure MFA:

◊ Log intoFHA Connection and follow the prompts to register your selected authentication method.
◊ For FIDO2 users, confirm your device is configured for biometric or security key use.

4. Verify Access: Test your login to ensure the MFA method is functioning correctly before the October 27 deadline.

If you encounter any issues, contact your IT team or reach out to the FHA Resource Center for assistance.

4.Why It Matters for Brokers and Lenders

While this update primarily affects users who log directly into FHA Connection, it reflects a broader regulatory trend toward enhanced cybersecurity across all mortgage technology systems. Brokers and lenders should expect similar standards to expand to other platforms and investor portals as part of a growing federal focus on identity protection and data security.

Beginning Monday, October 27, FHA Connection will only be accessible to users who have implemented phishing-resistant MFA through OKTA FastPass or FIDO2 authentication. Those who have not completed setup by the deadline will lose access to FHAC until MFA enrollment is complete. To prevent disruption, users should finalize setup immediately and verify successful access in advance.