MFA tokens, which are about the size of a novelty keychain, generate one-time codes on small screens for users to log in to synched platforms. New York is just the latest state to send the tokens to lower jurisdictions, joining Maine, New Hampshire and New Jersey. The state announced last week that it would be doing so and paying for the tokens with $9 million from the federal State and Local Cybersecurity Grant Program (SLCGP).
New York Chief Cyber Officer Colin Ahern said that along with the tokens, the state government plans to also provide recipients with installation and support services through a contracted vendor.
MFA at a basic level relies on two or more authentication factors, such as a password, a biometric identifier like a thumbprint, or a code from a mobile phone or hardware token. Hardware-based MFA is stronger because it requires a physical security key rather than a text message or app-generated code, which Ahern said could be intercepted.
“Most people get a text on their phone, or they get a series of numbers that rotate, which is called a time-based, one-time password,” he said. “The bad guys are now able to intercept those in some cases, so what the state is providing via this funding is a phishing-resistant token, a second factor.”
As to how they work, Ahern said the process begins with an enrollment tied to a device’s Trusted Platform Module.
There is “a tiny computer chip which is specially designed to create a cryptographic relationship with the server. It creates a special mathematical relationship with the computer chip,” he said, “so there’s a one-to-one mathematical relation in such a way that is extremely difficult — essentially impossible — for even an adversary to get into the middle.”
Protecting login credentials and passwords is, of course, fundamental to preventing ransomware and other cybersecurity attacks. According to New Jersey’s 2026 Threat Assessment report, released this week, theft and abuse of credentials remain among the most persistent cyber threats facing organizations.
The New Jersey Cybersecurity and Communications Integration Cell found that compromised credentials were used to gain initial access in a majority of ransomware incidents affecting organizations in the state. It has also used SLCGP funding to deploy hardware authentication tokens, providing 17,000 to 120 organizations within its borders, the report noted.
Other states are using this type of device across environments, too. New Hampshire in 2024 distributed more than 17,000 MFA tokens with about $800,000 in SLCGP funding, and Maine has also put them to use.
“We need the counties and local governments, the private sector, research institutions, everyday New Yorkers, to take these issues seriously, but not in a fatalistic way,” Ahern said. “We’re empowering individuals, and especially people in public service — who are dedicating their professional lives to service — to have the tools they need to do their job securely.”
A full list of token recipients can be found in the state's announcement.
