Multifactor Authentication:Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets to you in PowerPoint format – please feel free to change to your FI’s template, add scenarios, etc. – anything you need to do to customize then for your FI.
Managing MFA on the Admin Platform Maintenance Policies Multifactor Authentication (affects entire commercial client base) • Enable or disable MFA • Once enabled, select the Effective Date Maintenance Policies Additional Options (affects entire commercial client base) • Select if users will be able to change their own email addresses Maintenance Customer Maintenance (affects individual commercial client – these settings override the Policies settings) • Enable or disabled MFA • Once enabled, select the Effective Date • Definitions • “Temporary Access” = when a user logs into Business Banking from an unenrolled computer, after the MFA Effective Date. • “Security Questions with Second Request” = the user is challenged for temporary access with the Security Questions screen, displaying two of their five security questions. Users have the ability to request a second set of security questions if they feel they cannot answer them. Two of the remaining three questions are displayed. If the user cannot answer them correctly, they are locked out. • Tips • If an Effective Date was previously defined on the Customer Maintenance screen, then changing or adding the Effective Date on the Policies page will only override it if the date has not passed. • The MFA Effective Date must be the current day’s date or future dated. If you set it 1-2 weeks out, this allows all users to confirm/update their email address and to set up their security questions and answers before they are required to enroll.
User Experience After MFA Enablement … But Before the Effective Date is Reached Step 1: User logs into the Customer Platform. Step 2: Next screen displays the user’s email address. User must either confirm that the address is correct, or if it’s not: • change it here (if your FI allows users to change their own email address) OR • contact their Company Admin and have them change it Step 3: User must set up security questions and answers. Step 4: User is taken to Business Banking. … After the Effective Date is Reached Step 1: User logs into the Customer Platform. Step 2: Next screen is the Enhanced Login Security Screen (See Quick Tip sheet for Enrolling a Computer)
Enroll or Unenroll a Computer Enroll a Computer/Browser Step 1: After logging in, user is presented with the Enhanced Login Security screen displaying two of their security questions. Step 2: The user enters their answers, then checks the box to add extra security protection to this computer. Step 3: A success screen displays. Unenroll a Computer/Browser Step 1: Once logged in, user goes to Administration Login Credentials Unenroll Computers Step 2: On the Unenroll Computersscreen, user selects either the first option (to unenroll this computer) or the second option (to unenroll all computers). Step 3: MFA removes the cookie from the user’s browser. • Tips – Enroll a Computer • Users can enroll as many computers and browsers as they wish. • Once a user enrolls one computer, the user is now enrolled in MFA. • Once a computer/browser is enrolled, the user will see nothing different at future logins to Business Banking from that computer using that browser. • A user should only enroll a computer that is non-public and that they will use regularly to access Business Banking. • Tips – Unenroll a Computer • The user is still enrolled in MFA! So if they log in again from this or any unenrolled computer, they will not be allowed into their Business Banking session until they provide the challenge data (see Temporary Access tip sheet). • User should only select this option if they are not going to be using this computer for Business Banking again. • This ‘Unenroll Computers’ feature will only display if the financial institution has enabled MFA for the company and the ‘MFA Effective Date’ defined has been reached.
Temporary Access Step 1: Enrolled user logs into Business Banking from an unenrolled computer or browser. Step 2: System displays 2 of the 5 security questions. Step 3: User answers questions (they can also enroll this computer now) and is taken to Business Banking. OR Step 3: User feels they cannot answers questions, so clicks on “Request Different Questions”. Step 4: System displays two of the remaining five questions. Step 5: User enters their answers and clicks continue. Step 6: User has the option to enroll this computer in MFA. Step 7: User is taken to Business Banking.
Temporary Access • Tips • A user will only be challenged if they are an enrolled user, but are using an unenrolled computer (at the library, at a friend’s house, etc.) • If a user wants to enroll the computer they are currently using, they can check the box to add enhanced security to this computer before continuing. • Security codes expire after 30 minutes. • If the MFA system sent the user a code less than 30 minutes ago and the code was not used, it will not automatically send a new one when the user tries to log in this time. • If the user wasn’t able to retrieve that security code and wants a new one, there is a Request a New Security Code link. • If the user enters the wrong code, an error message displays. The user can try again. This counts as a bad login attempt. • Once a user successfully enters a security code and is able to login, that code becomes invalid. • If the user cannot retrieve their code, they should contact their company administrator. The administrator can change the user’s email address to one where the user can retrieve the code. • There is the possibility of the security code email being routed to a user’s junk mail folder. Users who do not get the security code should check that folder. • The answers to the security questions are not retained by the system, so a user can set up the same questions with the same answers again, if they desire.
MFA Reporting Reporting on MFA is accomplished using the following Transaction Types: Existing Transaction Types with MFA information: • Bad login • Usermaint modified MFA-Specific Transaction Types: • Unenroll computer • All computers unenrolled • Computer enrolled • Login authenticated • User challenged • User computers unenrolled • Login credentials reset • Email address confirmed • Changed email address • Questions created • Questions requested • Questions changed • Questions answered • Tips • Customer Platform = Administration Activity Reporting, • FI Admin Platform = Billing & Reporting Customer Activity Reporting • See transaction type details in the user’s guide.