FHA Requires Multi-Factor Authentication by July 28, 2025: Is Your Team Ready?

Written By Troy Garris

The Federal Housing Administration (FHA) has announced a mandatory security update.  Effective July 28, 2025, all users of the FHA Connection (FHAC) system must implement phishing-resistant multi-factor authentication (MFA) to maintain access.

This change is not automatic.  Each individual user must act to complete setup before the deadline.

What’s Changing and Why?

To address rising cybersecurity risks, e.g., phishing attacks and credential theft, FHA is requiring all FHAC users to implement phishing-resistant MFA.  FHA indicates that the goal is to strengthen protection for sensitive borrower and lender data and prevent unauthorized system access.

Failing to meet the July 28 deadline will result in loss of FHAC access, directly affecting your ability to process or service FHA-insured loans.

Who Is Affected?  If You Are Reading This, Probably You

  • All individuals accessing FHA Connection, including lenders, servicers, underwriters, and other stakeholders working with FHA-insured loans.

  • There are certain limited exceptions. 

Details for MFA

To meet the requirement, users must implement one of two specified authentication methods.  For details, check the HUD release here

Action Steps for FHA Approved Mortgagees

1.        Identify all active FHAC users across your organization.

2.        Select your MFA method based on system compatibility and user needs.

3.        Engage IT support as needed for installation and configuration.

4.        Ensure all users are fully set up and tested before July 28, 2025.

Consequences of Noncompliance

  • Access Termination:  No MFA setup = no FHAC access.

  • Operational Disruption:  Potential delays in processing loans or accessing borrower data.

  • Compliance Risk:  Missed deadlines may signal gaps in your organization's risk protocols.

  • Legal, Compliance and Operational Considerations

This change may impact internal access controls, vendor management practices, and compliance documentation. Organizations should assess whether policy updates are necessary and ensure any third-party access is properly managed.

Bottom Line

July 28, 2025 is coming faster than you think.  This is a critical compliance requirement that could directly affect your ability to interact with the FHA system so do not wait.  Ensure all users are enrolled in MFA before the cutoff to maintain business continuity and system access.

For more information on this or other FHA requirements, contact Troy Garris (troy@garrishorn.com).

Troy Garris
Previous

GSEs Revise IPC Rules: Impact on Builder Forward Commitments, Lender Incentives and IPCs
Next

Trump Voids Two CFPB Rules:  What It Means for Overdraft Fees and Fintech