In 2025, the Federal Housing Administration (FHA) rolled out a mandatory phishing-resistant multi-factor authentication (MFA) requirement for all users of its FHAC (FHA Connection) system. This update is part of FHA’s broader effort to protect sensitive data, bolster identity management, and prevent credential-related breaches.
But for mortgage lenders, this is more than a technical update—it’s a business-critical change. If your users fail to adopt the new MFA by the deadline, they will be unable to log in to FHAC at all, disrupting daily workflows, jeopardizing certifications, and potentially derailing HUD recertification timelines.
What it Means
- Phishing-resistant MFA means more than just a code via SMS or email — FHA requires stronger factors such as FIDO2 security keys or biometric authenticators, or using OKTA FastPass. These methods help ensure that login credentials cannot be easily phished or compromised.
- All FHAC users (except those connecting via the FHA’s Business-to-Government (B2G) interface) are required to adopt this stronger form of MFA.
- The timeline has been updated (extended) so users have more time to make the switch. Originally, the deadline was July 28, 2025; later notices push mandatory compliance to October 27, 2025 in some communications.
How to Implement It
If your institution (or your users) needs to comply, here are the key steps:
- Choose your MFA method
You have two main options:- OKTA FastPass (recommended) – install OKTA Verify app on desktops or mobile, configure, and set FastPass as default.
- FIDO2 / Security Key or biometrics – this requires compatible hardware (Windows Hello, Mac biometric, etc.).
- Deploy / Configure across your user base
- Ensure users have FHAC user IDs and are registered properly.
- Your IT department may need to enable workstation support for FIDO2 or distribute OKTA Verify.
- Test and validate
- Have users log in via the new MFA method ahead of the deadline to ensure there are no access or compatibility issues.
- Identify and resolve any issues in your environment (e.g., old OS that doesn’t support FIDO2, devices incapable of biometrics, etc.).
- Communicate to all stakeholders
- Anybody who accesses FHAC must be aware of the change; failure to adopt MFA in time will mean losing access.
- Include internal teams such as compliance, security, IT, so policies are updated.
The Mortgage Lender Impact
For mortgage lenders, FHAC isn’t optional. It’s central to daily operations. The system is used for:
- Submitting case binders and endorsements
- Managing insurance applications and claims
- Pulling FHA Connection reports
- Processing certifications and renewals
- Accessing lender approval and monitoring information
Without MFA-enabled access, your staff won’t be able to log in to complete these core tasks. That means loans stall, insurance endorsements are delayed, and compliance timelines slip. For institutions with multiple users, even one person locked out of FHAC can create bottlenecks that ripple through processing pipelines.
In short: failure to implement phishing-resistant MFA doesn’t just risk compliance—it risks the continuity of your FHA lending business.
Impact on HUD & FHA Recertification
This part is especially important. If your organization needs to maintain or renew HUD/FHA approval or recertification status, the MFA change can affect you in several ways:
- Access Requirement: Recertification often requires using FHAC to submit forms, manage certifications, or perform lender recertification. If key users don’t have access, those functions can’t be performed, which can delay or block recertification.
- User Identity & Security Audit: Many recertification/compliance reviews assess identity management, internal controls, authentication, and access controls. By implementing phishing-resistant MFA, your organization strengthens its compliance posture. Conversely, not having it could show up as a deficiency.
- Timeliness: Deadlines for recertification often don’t wait. Even if your FHA/HUD recertification window is open, inability to access FHAC due to missing MFA could mean missing parts of the recertification package or being unable to validate or submit required documentation.
FHA’s phishing-resistant MFA requirement is more than a security upgrade—it’s a make-or-break access point for lenders. Missing the deadline means losing FHA Connection login privileges, which disrupts daily operations and threatens timely HUD recertification.
By acting now—choosing your MFA method, training staff, and validating logins—you not only secure your systems but also protect your ability to process loans, manage insurance, and maintain compliance without interruption.
For more information, contact the FHA Resource Center via answers@hud.gov.
