Executive Summary / TL;DR
- How common is MFA?: 41% of US utility meters now require some form of MFA, with 11 million meters (8%) under mandatory MFA policies
- Business impact: MFA causes companies to lose an incremental 30-50% of customers during sign-up, then another significant portion when customers must re-authenticate
- The solution: Proper MFA through a utility api completes authentication in 5 seconds (vs 60-90 seconds), maintains data access for 90+ days, and works across all utilities – preventing customer loss and market lockout
- Mandatory MFA utilities: PG&E (5.7M meters), ConEd (3.7M meters), Orange & Rockland (420k meters) – 100% of customers must use MFA. SDG&E (1.5M meters) effectively mandatory through aggressive prompting
- High-impact optional MFA: ComEd (1.9M affected meters at 47% MFA), PECO (1M affected meters at 58% MFA) – major PJM utilities with growing adoption
Why Should You Care About Utility Multi-Factor Authentication?
Multi-factor authentication (MFA), sometimes called two-factor authentication (2FA), directly affects any utility api that retrieves utility bill data and interval meter data as an additional security step utilities require when accessing customer accounts. When a utility enables this, customers enrolled in MFA must provide a second form of verification (usually a code via text or email) to access their account.
Here’s the problem: When customers authenticate their accounts to share their green button data and utilities require MFA, your onboarding flow now has an extra step that can confuse customers, add friction, and hurt conversions if not handled properly.
We’ve heard the same story from dozens of companies: Without proper MFA handling, a simple credential flow turns into an operational nightmare:
- Complete lockout from mandatory MFA utilities (no data at all)
- 30-50% incremental customer drop-off during utility account authentication
- Constant support tickets from confused customers
- Sessions that expire and require re-authentication
MFA support isn’t optional anymore. If your utility data solution can’t handle it properly, you’re already losing customers. This is true whether you’re building your own or considering a 3rd party utility api.
Utility Data: MFA Prevalence by Utility
Here’s the MFA landscape across major US utilities based on Bayou’s real customer data:
| Utility | Wholesale Market | % of Customers with MFA |
|---|---|---|
| Orange And Rockland | NYISO, PJM | 100.0% |
| Con Edison | NYISO | 100.0% |
| San Diego Gas And Electric | CAISO | ~100.0% |
| Pacific Gas And Electric | CAISO | 100.0% |
| Commonwealth Edison | PJM | 58.8% |
| Atlantic City Electric | PJM | 53.6% |
| Peco | PJM | 52.8% |
| Baltimore Gas And Electric | PJM | 45.3% |
| Pepco | PJM | 42.0% |
| Delmarva Power | PJM | 38.8% |
| Pseg New Jersey | PJM | 11.1% |
| Southern California Edison | CAISO | 9.3% |
| Potomac Edison | PJM | 9.3% |
| West Penn Power | PJM | 8.3% |
| Jersey Central Power And Light | PJM | 8.2% |
| Penn Power | PJM | 8.2% |
| Eversource | ISO-NE | 7.8% |
| Dominion Energy Virginia | PJM | 5.4% |
| Toledo Edison | PJM | 5.2% |
| Metropolitan Edison | PJM | 4.8% |
| Ohio Edison | PJM | 2.8% |
| The Illuminating Company | PJM | 2.8% |
| Penelec | PJM | 2.1% |
| Ameren | MISO | 2.1% |
| Xcel Energy | MISO, SPP | 0.2% |
MFA is increasingly required for Getting Utility Data
Utilities have been steadily adding MFA since 2017, with adoption accelerating significantly in recent years:
2017
- ConEd migrates to Okta-backed authentication with MFA for existing accounts
2022
- February-March: SDG&E enables 2-step verification for all customers
- April: Xcel Energy adds optional 2FA (0.3% current adoption)
- Summer: Exelon utilities introduce optional MFA (now 31-58% adoption across their utilities)
2023
- Q1: Dominion Energy adds MFA during portal migration
- Mid-year: Ameren implements optional MFA (2% current adoption)
- November: PSE&G announces MFA for New Jersey customers (11% current adoption)
- December: Eversource adds optional MFA (5% current adoption)
2024-2025
- Fall 2024: Southern California Edison introduces optional MFA (15% adoption)
- Late 2024: SDG&E strengthens MFA requirements, making it effectively mandatory
- March 2025: First Energy adds optional MFA to 10 utilities with one week’s notice (2-11% adoption across their utilities)
- April 2025: PG&E implements mandatory MFA for all customers
More utilities added MFA in 2022-2025 than in the previous five years combined. Most utilities provide minimal advance notice. This means any given utility could enable MFA tomorrow, immediately increasing your customer acquisition costs and reducing conversion rates if your system isn’t prepared.
Impact of MFA on Utility Data access across energy markets
1. Missing Record-Breaking PJM Capacity Market Revenues
PJM capacity prices have hit record highs two years running with ~$180 per consumer per year available and a significant portion of that available to the Virtual Power Plant companies enabling their participation. Customer utility account data is needed to sign up each customer and then continuous access to interval meter data is needed to determine how customers performed during grid events. Because customers commit to performance for the full year, losing access to their data due to a MFA session expiring after 30 minutes is a deal breaker. As one VPP operator said: “We lose ~50% of customers during sign up due to MFA and then 30% of customers each time they need to re-auth their account. By year-end, we’ve lost over half our committed capacity.”
With utilities like Orange and Rockland (100% MFA), ComEd (~59% MFA), Atlantic City (54%) and PECO (53%) – solving MFA is absolutely essential for anyone operating in PJM.
2. MFA Can Destroy Unit Economics for Energy Companies
Energy companies spend serious money acquiring each customer:
- Dozens of dollars for energy cost optimization
- Hundreds for community solar
- Thousands for installation of rooftop solar, batteries, heat pumps and EV chargers
Now add an incremental 30-50% drop-off at customer utility account authentication due to mis-handling of MFA. The customers who do convert can require additional support related to MFA or needing to continuously re-authenticate their account. The result is that your unit economics gets destroyed from both ends – higher acquisition costs from drop-off, lower lifetime value from support burden.
3. Get Utility Data From California Utilities
California is a massive market for energy optimization – sky-high utility rates, robust policy support, an innovative culture and 13 million meters (9% of the US market) across its investor owned utilities. This opportunity is gated by the challenge that all three utilities require customer MFA:
- Pacific Gas and Electric: Shifted from no MFA to 100% mandatory overnight in April 2025
- Southern California Edison: Introduced Optional MFA in late 2024 with early uptake at ~9%
- Sand Diego Gas and Electric: Introduced MFA in March 2022; while technically optional, interface changes in late 2024 make it effectively mandatory
Handling MFA in Utility APIs
When designing authentication for utility connections, you’re balancing two things:
- User experience (how much friction the customer feels), and
- Session longevity (how long data keeps flowing without re-auth).
Definition: An MFA challenge is any out-of-band step the user must complete – entering a one-time passcode (OTP) via SMS/email or approving a request in an authenticator app.
How to evaluate the five main approaches
- User experience (UX): speed of the flow; interruptions over time
- Session longevity: how long until re-authentication is required
1) No MFA Support
What it is: The Utility API doesn’t implement MFA; connections work only where MFA isn’t enforced.
Trade-off: Simple, but fails once MFA is required – rarely suitable beyond prototypes or internal tests.
2) Ask Customers to Disable MFA
What it is: The Utility API instructs users to log into the utility portal and turn MFA off.
Trade-off: Adds manual steps and weakens security posture; often impossible where utilities mandate MFA and unacceptable in enterprise environments.
3) Basic MFA Handling
What it is: The Utility API prompts the user to complete an MFA challenge which takes minutes to complete each attempt while the customer waits and data is only available for a few minutes.
Trade-off: Works for a one-time historical pull albeit with a slow customer experience. Sessions are short-lived (often ~10–30 minutes), requiring customers to frequently re-auth their utility accounts.
4) Proxy MFA Management
What it is: The Utility API replaces the customer’s MFA contact method (phone number or email address) with its own. This enables future MFA challenges to be delivered to (and completed by) the Utility API in the background without any action required by the customer. Non-MFA messages from the utility can be forwarded to the customer.
Trade-off: Excellent UX (“authenticate once” feel) and perpetual session duration, but invasive – requiring account/contact changes to the customer’s utility account.
5) Optimized MFA (Non-invasive)
What it is: The Utility API is engineered for speed and long-lived sessions without taking over the account (no changes made).
Trade-off: This is as good as it gets without proxy techniques.
What “good” looks like (directional targets)
- MFA completion time: median \< 5 seconds
- Session longevity: median 90+ days
- Coverage: high success across “hard” utilities, not just the easy ones
- Automated process: the Utility API notifies its users (ie the energy company) when customers need to re-authenticate
Bayou Energy’s Approach to MFA
At Bayou we’ve taken the Optimized MFA (non-invasive) approach to MFA that covers both utility bill data and interval meter data:
- Win more customers: customers complete MFA within 5 seconds or less reducing drop-off at sign-up and re-authentication
- Durable utility data access: Get customer data for 90+ days from a single authentication – improving your customer retention, lowering churn and support tickets
- Automate re-authentication: Bayou’s Utility API sends clear notifications to let your product know when customers need to re-authenticate, at scale
Start Handling MFA Properly Today
MFA isn’t going away. With 41% of US meters already requiring some form of MFA and utilities like PG&E flipping from 0% to mandatory overnight, every company getting utility data needs a real MFA solution.
We built Bayou to handle MFA the right way – fast authentication, long-lived sessions, and support for every utility’s requirements. Rather than telling you about it, we’d rather show you.
Get started with Bayou by connecting up to 10 customers free. You can authenticate your first customer in seconds and see exactly how MFA should work – no timeouts, no confusion, just instant access.
If you want to discuss how MFA impacts your business, schedule a call with James Gordey (Bayou’s Co-Founder and CEO). We’d love to learn more about what you’re building and share what we’ve learned helping dozens of companies solve these exact challenges.
Leave a Reply