Regulators Consider Rule Requiring Massachusetts Sports Betting Operators To Use Multi-Factor Authentication

Written By Mike Breen on September 5, 2024 - Last Updated on September 6, 2024
Massachusetts Sportsbooks Multi-Factor Authentication

The Massachusetts Gaming Commission is considering a new rule that would integrate multi-factor authentication (MFA) into online sportsbooks.

A new rule could require all Massachusetts online sports betting customers to provide additional information with each login, at certain intervals, or while completing particular actions, like making deposits or withdrawals. 

Massachusetts considers MFA checkpoints for sportsbooks

The commissioners discussed the potential new MFA regulation at the MGC’s Aug. 29 public meeting. 

In a memo to commissioners, MFA was described as “a multi-step account login process that requires users to enter more information than a password alone.” Examples of MFA include having a unique passcode sent to a user’s phone number or email, using a fingerprint or face scan, or answering a secret question users provide when setting up an account. 

The process is commonly used by banking institutions and other online commerce sites to protect customers’ sensitive data, such as bank account routing numbers or debit card details. In online gaming, requiring MFA is also seen as a protection to keep others (particularly underage people) from directly accessing an account without the account holder’s permission. There are also further Massachusetts responsible gaming implications. Adding an extra step before allowing someone to gamble is seen by some RG experts as another opportunity for a user to have a brief pause to consider their actions.

Ohio paves the way for multi-factor authentication

Ohio will soon become the first state to require MFA checks every time a player logs into their sportsbook account. A rule with the MFA requirement was proposed in January and is currently working its way through Ohio’s regulatory process. The rule is estimated to be implemented in October.

According to the MGC, New Jersey, Iowa, and Pennsylvania currently require MFA for customers. This is required when they first log into their sports betting accounts on a new device. It’s then required again every 14 days on each unique device.

Massachusetts doesn’t currently require MFA. But like Michigan and Illinois, Massachusetts requires online sportsbooks to provide customers with the option. Bally Bet is the only Massachusetts sportsbook to require customers to use MFA in some form. Bally Bet users must use MFA at their initial login and then every 14 days after.

Most MA commissioners don’t favor requiring MFA with every login

While all four Massachusetts commissioners expressed an openness to adopt some kind of rule, each had differing opinions regarding the level of MFA requirements. Most of the commissioners drew upon personal experience with MFA to inform their opinion.

MGC interim chair Jordan Maynard said he uses MFA often and supported mandating sports betting operators to provide the checkpoints. But Maynard leaned towards requiring MFA upon new device login and again after certain time intervals.

Maynard said:

“I like MFA in every part of my life and when it’s optional I actually sign up for it. I have MFA on for Amazon, for example. If you have your bank account tied to something or you have your debit card tied to something, it’s good to kind of lock that up, right? I am open to going further than we did when we launched, which was just make (MFA) optional.”

Eileen O’Brien was the only commissioner who said they favored requiring MFA with each login. However, she said she was open to requiring the checkpoints at particular intervals instead. Commissioners Brad Hill and Nakisha Skinner, meanwhile, both said they see constant MFA requirements as an inconvenience for customers. 

Skinner said:

“I recognize the importance of protecting the player account but I also want to acknowledge that there could be an inconvenience to patrons. The protection will outweigh any inconvenience, there’s no doubt about that. But just even in my own personal life, we see these requirements all the time. I am not one who signs up for it to happen at each login. I just find it hugely inconvenient. My device is password protected. I think that provides a level of protection that I’m comfortable with.”

Commission requests more info, decision to come later

Ultimately, Massachusetts commissioners asked for more information before making a decision on the MFA requirement. They said they’d like more information from the MGC responsible gaming division about the RG impacts. They also requested feedback from the state’s online sportsbook operators.

Commissioner Hill also asked that the MGC’s legal department draft some potential MFA regulations. That way, should they reach a consensus when addressing the matter next time, they could approve the rule with a vote rather than wait until another meeting.

Photo by Dreamstime / PlayMA
Mike Breen Avatar
Written by
Mike Breen

Mike Breen is an Ohio-based professional writer who has more than two decades of experience covering sports, news, music, arts and culture. He has covered online sports betting, responsible gambling, and other gambling initiatives for a variety of markets over the last couple of years. That now includes PlayMA.

View all posts by Mike Breen
Privacy Policy