TL;DR: New Jersey’s gaming guidance makes two-factor and multi-factor authentication a compliance requirement for internet and mobile operators, while also exposing practical limits in password, document, phone, and biometric approaches, according to Prove Identity. The real issue is not whether MFA exists, but whether it actually prevents account takeover and proxy betting under real operating conditions.
NHIMG editorial — based on content published by Prove Identity: Sports Betting Operators Go All In on Digital Authentication to Meet New Jersey’s 2022 MFA Regulations
Questions worth separating out
Q: How should regulated operators implement MFA without creating unnecessary abandonment?
A: Start by separating high-risk actions from low-risk account activity, then use the least-friction factor that still gives the assurance level the policy requires.
Q: Why do passwords and security questions fail as strong authentication in consumer apps?
A: They fail because they depend on user memory, are frequently reused, and are often exposed through breaches or public data.
Q: How can teams tell whether MFA is actually reducing fraud?
A: Look beyond login success rates and measure account takeover frequency, proxy use, anomalous device changes, and the share of high-risk transactions blocked after step-up.
Practitioner guidance
- Rebuild authentication policy around regulated use cases Separate casual consumer sign-in from accounts that can place wagers, move funds, or trigger jurisdictional obligations.
- Prefer possession-based signals for mobile-first access Use phone intelligence, device continuity, and live possession evidence where mobile access dominates.
- Treat proxy betting as a session governance issue Monitor whether the authenticated user remains the active user across the session and transaction flow.
What's in the full article
Prove Identity's full article covers the implementation detail this post intentionally leaves for the source:
- Detailed comparison of password, possession, and biometric factor options for regulated gaming journeys
- Practical discussion of phone-based authentication and how it reduces friction in mobile wagering
- Operational considerations for preventing proxy betting without degrading patron experience
- The article's framing of proxy betting as an identity and fraud problem across the user journey
👉 Read Prove Identity's analysis of MFA requirements for sports betting operators →
New Jersey MFA rules and sports betting identity controls , what changed?
Explore further
Authentication rules become governance rules when regulators spell out MFA requirements. New Jersey’s guidance moves MFA from recommendation to control expectation, which changes how identity teams should think about assurance, auditability, and exception handling. The practical effect is that authentication method choice now carries regulatory weight, not just UX trade-offs. For practitioners, the control has to be defensible in both fraud and compliance terms.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when authentication satisfies policy but proxy betting still occurs?
A: Accountability usually sits with the operator’s identity, fraud, and compliance owners together, because the failure is in the control design, not just the user journey. The programme has to prove that authentication, session integrity, and jurisdiction checks work as one control chain.
👉 Read our full editorial: New Jersey MFA rules show where sports betting identity controls fail