FTC Safeguards Rule Compliance – with Phishing-Resistant MFA
Executive Summary
Auto dealerships are now at the intersection of two major pressures: regulatory enforcement and cyberattacks targeting critical operations.
Under the FTC Safeguards Rule—part of the Gramm-Leach-Bliley Act (GLBA)—dealerships that handle financing or leasing are legally considered “financial institutions.” They must maintain a formal information security program, including strong access controls and multi-factor authentication (MFA).
At the same time, cybercriminals have exposed just how fragile dealership infrastructure can be. In June 2024, the CDK Global ransomware attack disrupted nearly 15,000 dealerships across North America, forcing many to revert to pen and paper. Estimated dealer losses topped $1 billion over several weeks.
The Safeguards Rule now requires MFA for anyone accessing customer information—unless an equally or more secure control is formally approved. But traditional “MFA” methods—like passwords with SMS, email codes, or push approvals—no longer meet the standard.
TraitWare delivers a new model: passwordless, phishing-resistant MFA that binds identity to both the user and their device. By removing passwords entirely, centralizing identity, and enforcing access control across DMS, OEM portals, F&I systems, and internal applications, TraitWare helps dealerships:
-Achieve full compliance with the Safeguards Rule—defensibly.
-Reduce cyber and vendor risk.
-Strengthen cyber insurance eligibility.
-Streamline access and improve productivity across the dealership.
1. The Safeguards Rule—In Plain Language
The FTC’s Safeguards Rule (16 C.F.R. Part 314) requires covered institutions—including most dealerships—to implement a risk-based information security program that includes:
Access Controls & MFA: Every individual accessing systems with customer information must use MFA, unless an approved equivalent is documented.
Vendor Oversight: Dealerships must ensure DMS, MSP, and SaaS vendors also safeguard customer data.
Incident Response & Reporting: Dealers must now report qualifying breaches to the FTC and maintain a formal incident response plan.
In short: Dealerships must prove—not just claim—that their access controls are consistent, secure, and auditable.
2. Why Auto Dealerships Are Prime Targets
Dealerships are data-rich, fast-paced, and highly connected, making them ideal targets. Attackers exploit:
-High-value personal and financial data (SSNs, income, credit details).
-Interconnected third-party systems (DMS, CRM, OEM, lenders).
-Legacy authentication and shared accounts.
Regulators have noticed. The FTC’s updates were designed to bring auto retail into modern security standards. Yet many dealerships still rely on weak MFA or shared passwords—direct violations of today’s expectations.
3. Lessons from the CDK Global Cyberattack
The CDK Global ransomware incident exposed a critical truth: dealerships are only as strong as their weakest identity control.
-Nearly 15,000 dealerships were affected.
-Sales and service operations halted for weeks.
-Losses reached nearly $1 billion.
-The breach underscored that identity is an attack surface and that vendor risk equals dealer risk. When identity fails, everything stops.
4. Legacy MFA Isn’t Enough
Common MFA approaches—like password + SMS code or password + push approval—can’t stop modern threats. Attackers exploit them through:
–Phishing and MFA fatigue attacks
–Password reuse
–Shared logins
–Inconsistent MFA coverage across systems
Even if technically compliant, these methods are not phishing-resistant, and won’t withstand an FTC audit or a post-incident investigation.
5. What “Phishing-Resistant MFA” Really Means
According to CISA and NIST, phishing-resistant MFA uses FIDO2/WebAuthn standards—based on device-bound cryptographic keys.
It ensures:
-No passwords to steal or reuse
-Device-level proof of authenticity.
-Biometric or PIN verification on the user’s own device.
-Origin-binding that prevents fake login pages.
TraitWare implements these standards to provide true phishing resistance and passwordless access across all dealership systems.
6. Centralized Identity for the Modern Dealership
A secure identity foundation combines Single Sign-On (SSO), role-based access, and automated lifecycle management.
TraitWare delivers:
–One identity per user, synchronized with Entra ID / Azure AD.
–Phishing-resistant MFA by default across DMS, OEM, CRM, and internal systems.
–Automatic onboarding and offboarding for rapid, secure access changes.
–Centralized visibility and reporting for compliance and insurance documentation.
This isn’t just security—it’s operational clarity and regulatory readiness.
7. The TraitWare Advantage
TraitWare transforms dealership cybersecurity from a compliance burden into a competitive advantage:
| Feature | Legacy MFA | TraitWare |
| Passwordless | ❌ No | ✅ Yes |
| Phishing-Resistant | ❌ Weak | ✅ FIDO2/WebAuthn |
| Centralized Identity | ⚠️ Partial | ✅ Full |
| Quantum-Resistant Encryption | ❌ No | ✅ Yes |
| Device-Bound Authentication | ⚠️ Limited | ✅ Enforced |
| Platform Lock-In | ✅ Yes | ❌ No |
Dealers gain:
-Stronger protection.
-Simpler access for staff.
-Measurable ROI.
8. The ROI of Going Passwordless
Security that pays for itself:
-Avoid multimillion-dollar breach losses like CDK’s.
-Qualify for better cyber-insurance rates.
-Eliminate password resets and downtime.
-Boost productivity and morale with faster logins.
-Modern authentication isn’t just compliance—it’s good business.
9. The Roadmap to Secure Identity
Baseline Assessment – Identify systems and users handling customer data.
Select a Central Identity Platform – Deploy TraitWare with SSO integration.
Pilot Passwordless MFA – Begin with high-risk roles (F&I, admins).
Scale Securely – Expand to all users and vendors.
Govern and Report – Use centralized logs for compliance proof.
10. Conclusion
The FTC Safeguards Rule raised the bar—and cyberattacks like CDK Global proved the stakes. Passwords and legacy MFA can no longer protect sensitive dealership operations.
TraitWare helps dealerships move from “check-the-box” compliance to defensible, measurable security—while improving efficiency, reducing risk, and strengthening trust with customers and regulators alike.
It’s time to replace vulnerability with visibility, and passwords with progress.
TraitWare: Phishing-Resistant. Passwordless. Proven.