Online gambling in New Jersey is going to become safer than ever by the end of the month. At the same time, players will have a few more hoops to jump through.
The NJ Division of Gaming Enforcement (DGE), which regulates all gambling in the state, issued new guidelines back in March. These aim at beefing up security across the board. Most relevant to players is the requirement that all gambling sites implement strong authentication.
In practice, this will mean multifactor authentication (MFA) being adopted by all New Jersey online casinos and sportsbooks. Technically, though, the DGE has reserved the right for itself to define other authentication strategies as “strong,” so long as they’re more secure than a username and password alone.
Operators have until June 30 to comply with the new regulations. Some, like FanDuel Casino, already have MFA as an option.
What Is Multi-Factor Authentication?
Authentication is the process by which a website makes sure that only the correct person can access an account. Traditionally, this means the familiar username-and-password combination. That’s single-factor authentication.
The trouble with that password security is only as strong as its weakest link. Gambling sites may have good internal security, but many users reuse their login credentials from site to site. If some low-security site gets hacked, the usernames and passwords typically end up for sale on the dark web. Anyone in that database who used the same login and password at another, more important site is now at risk.
There’s no single authentication method that’s perfect. The idea of MFA is that multiple methods, in combination, are stronger than the sum of their parts. A hacker might be able to get your password, and a thief might be able to steal your phone, but it’s much harder for the same person to get both. That’s because the means of obtaining each are so different.
The DGE’s new regulations define MFA as using at least two different strategies from the following:
1. Information known only to the patron, such as a password, pattern or answers to
2. An item possessed by a patron such as an electronic token, physical token or an
identification card; or
3. A patron’s biometric data, such as fingerprints, facial or voice recognition.
Another Advantage To Playing On Mobile
The second and third options both sound like they could be a nuisance. However, MFA is becoming increasingly common, and modern mobile devices are designed with it in mind.
There are, for instance, many third-party apps allowing the storage or transmission of an electronic security token, which would fulfill the second option. If you’ve ever had a site send a one-time password to you by text message, that’s an example of such an electronic token.
Likewise, all new iOS devices and many Android ones implement some form of biometric identification, be it facial recognition or a finger/thumbprint scanner. Those would fulfill the third option.
Chances are, then, that most operators will adopt MFA strategies that involve a smartphone corresponding to the main phone number for the account.
One likely outcome of that will be to increase the share of users playing on those mobile devices. As it is, more people gamble on their devices than on desktop, with some estimates running as high as 80%. For sports betting, the share is even higher, since bettors tend to be on their couch or out at a bar to watch a game, rather than at the computer.
Desktop MFA options exist, and some of the mobile options can equally be used to authenticate a desktop login. However, if smartphones provide the easiest route to strong authentication, and many users prefer app-based gambling to begin with, we should see a rise in mobile gambling in NJ soon, and a drop in desktop play.
Why Is Stronger Security Needed?
Better security for online gambling sites benefits everyone. The enforcement of rules around security practices is one of the main advantages of regulated markets over offshore black and gray markets.
For the end-user, the benefit is obvious. If you have money stored somewhere, you don’t want anyone else having access to it. Payment processing rules make it hard for a hacker to steal money from an account even if they can log in, but it’s better still to make sure they don’t get the chance.
Sites benefit because MFA makes multi-accounting more challenging. One common form of fraud perpetrated by online gamblers is convincing friends and family to set up additional accounts on their behalf, in order to claim welcome bonuses multiple times. The additional forms of authentication make account sharing more of a hassle, in addition to providing enhanced security for legitimate users.
For similar reasons, there are also social benefits to better gambling security. Regulators insist on Know Your Customer (KYC) and Anti-Money Laundering (AML) practices in order to fight organized crime and prevent underage gambling. However, those only apply at the time of account creation and payment processing. It undermines those efforts if unauthorized users can gain access to existing accounts.
For all those reasons, it’s likely that NJ won’t be the last state to adopt such policies. Although it will be mandatory for operators to offer strong authentication, it looks as if it will be a choice for players whether to use it. Still, given the advantages, it wouldn’t be surprising if it were to become mandatory for all users in the future.