Multifactor Authentication for Business Banking Customer Platform: Certification Webcast for Security Questions. Laura Sund Martin Digital Insight University. Business Banking v. 4.16. Some Recorded Webcast Pointers.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Multifactor Authentication for Business Banking Customer Platform:Certification Webcast for Security Questions Laura Sund Martin Digital Insight University Business Banking v. 4.16
Some Recorded Webcast Pointers • Note that you’ve got controls along the bottom of the webcast window. You can pause the webcast if you need to take a short break, rewind to review, forward, or stop. • This webcast is best viewed with Media Player 10 or higher and the Replay Wrapper installed. If you don’t see a list of the slides on the left side of your screen, you don’t have the Replay Wrapper installed. See next slide for how to install both MP10 and the Replay Wrapper. • If you need to stop the webcast and finish it at a later time, note that the slide names/numbers appear in a window to the left. When you access the webcast later, simply scroll to the name of the next slide from where you left off. It will take a moment to jump to that spot, and then you are on your way!
Some Recorded Webcast Pointers • If you don’t have the dropdown menu showing the slide deck, stop the recording, return to this screen, and install the Replay Wrapper. You must have Media Player 10 to install the Wrapper.
Some Volume Pointers • Did you know…there are 3-4 ways to change the volume on your computer for a webcast?? If you are having problems hearing my voice, please hit your PAUSE button and check the following: • The Windows Media Player software • You have a volume control (typically a slide bar) at the bottom of your Player window. • Your computer software • If you’re using Windows, in the lower right corner you should have a sound control icon . Double click on this, and check the following: 1) everything should be set a maximum and 2) none of the “mute” options are checked. • Your computer’s sound card • On your computer (especially if it’s a laptop), the sound card may have a volume control. Feel or look around your computer to see if there is a volume control. • External speaker control • This is the most obvious one and you’ve probably already thought of it! • If you have adjusted all those settings, and experience normal audio volumes listening to other sources of pc audio (go to another site, like www.cnn.com to test it out), then please contact Microsoft Customer Support at 866-493-2825 and they can work further with you.
Session Objectives – Security Questions Webcast Overall Objective: This webcast will train you on how your business users will use multifactor authentication (MFA) to increase their login security, and how to track MFA activity in the FI Admin Platform. Specifically we will cover: • What multifactor authentication is • How business users enroll and unenroll in MFA • How enrolled users log in • MFA features for Company Administrators • How FI administrators use FI Admin Platform to create reports on MFA Please note that this webcast is for financial institutions offering the Security Questions option for MFA!
Completing this Training We have designed this MFA Security Questions training for multiple employees at your financial institution: • If you are a cash management specialist or service rep who needs to talk to your commercial clients about MFA but will NOT be using the FI Admin Platform, you’ll complete through slide 73. The trainer will remind you at that point that you can exit the webcast. • If you are an FI admin who will be using the FI Admin Platform, you’ll complete the entire webcast. • If you are the Project Lead, be sure you view the Enablement Webcast before you view this one!
Product Overview If you have already viewed the Enablement Webcast, skip to slide 15 “Using MFA on the Commercial Customer Platform”.
Why MFA? • In the fall of 2005, the Federal Financial Institutions Examination Council (FFIEC), the regulators overseeing banks and credit unions, communicated that passwords alone will no longer be acceptable as the sole means of achieving online security. Multifactor authentication (MFA) was the recommended solution. • MFA requires online users to provide something additional beyond today’s username and password to login. This enhanced security means that even if a user has their password stolen in a phishing attack or by malicious software, the fraudster cannot access online accounts because they do not possess the additional factors needed, which are harder to steal. By offering MFA our clients can give their consumers and businesses peace of mind when using online products and services. So why are we doing this?? To protect your end users’ sensitive information!
Basic MFA Steps After your FI has enabled MFA: • Business Banking user logs into Business Banking. • User must choose five security questions and enter answers for each. • User can choose to enroll the computer they are currently using in MFA. • If they do – the next time they log in, they will see nothing different. • If they do not – the next time they are logged in, they will be presented with the Security Question screen, displaying two of their five questions. Security Question options: Your FI has chosen one of two options: • “Security Questions with Second Request” – if the user feels they cannot answer the first two questions they are presented with, they can request different questions. • “Security Questions with Reset” – if the user feels they cannot answer the first two questions they are presented with, they can request a one-time security code to be sent via email to their email address on file. They must set up their questions again upon next login. These two options are similar enough to cover in one training. However, you will find a few “skips” for sections that pertain to only one or the other.
Terms & Definitions • Single Armored authentication –The process of authenticating user credentials where the only credentials authenticated are the User ID and password. • MFA –Multifactor Authentication. The process adds an additional credential to be authenticated. • Enhanced Login Security – This is the default feature label for the MFA product. You will be allowed to choose a different name if you desire. • Enroll a Computer – The process whereby a user chooses to define a particular computer as their additional factor for purposes of authentication. A cookie is installed on the computer. • Un-enroll a Computer –Where a user removes the computer as the additional factor. • Enrolled User –Any user who has opted in to the MFA feature. First time enrollment is accomplished when the user has successfully enrolled their first computer . • Credentials – Data elements that are needed in order to log in. This may include User ID, password, and browser cookie as well as Company Id and Company password. • Factors – Data elements that are required to log in above and beyond User ID. These factors may include password, browser cookie and email Security Code. • Temporary Access –Login where the user is enabled for the MFA Required feature and is attempting to log in from a computer that has not been recognized. • Invalid Cookie – a cookie that does not match the user credentials or as cookie that has been expired or marked invalid by the MFA system.
Terms & Definitions • Security Questions –A set of questions and answers generated by the end user when they first enroll in MFA. Answering these questions allows an MFA user to initiate a Business Banking session via Temporary Access. • Security Questions with Second Request –With Temporary Access, if the user feels they cannot answer the first set of questions presented, they may request another set. • Security Questions with Reset –With Temporary Access, if the user feels they cannot answer the first set of questions presented, they may request to reset their questions. A security code is emailed to them, which they must use to log in. • FI – Financial institution • FI admin – an FI employee who is responsible for managing, overseeing, reporting on, etc. a particular product. There may be 1 or more FI admins per product at an FI. • Front-line Staff – FI employees who communicate with commercial clients, e.g. cash management specialists or customer service reps.
Fraud Prevention: Strong Authentication Know Are Have • Passwords • PINs • Secrets, etc. • Computers • Phone / PDA • E-mail passcode • Fingerprints • Iris scans • Voice prints, etc.
Why a browser cookie-based approach? • Strong security with minimal effort by end user • Always requires a second factor of authentication (something you have) • Cookie credential or security question answers • Signup straightforward and fast • Non-intrusive • No change from today’s login experience when using primary computers • No change in browser settings required • Preserves “access anywhere” ability of business banking • Temporary access method
Bus Banking MFA : Using the computer as the 2nd factor • On computer of user’s choice, a unique, secure device ID will be placed in the browser of the user’s PC • Links the computer to the user for login • During subsequent logins, Digital Insight will check for both correct password & matching device ID • If user logs in from an enrolled PC, then no change from current login experience • If device ID is not present or mismatched, login is only allowed user answers security questions correctly • No limit on number of computers a user can enroll Business Banking Site ID Laptop PC ID User#1 ID User#2 Workroom PC
MFA Setup for Commercial Clients • Our financial institution’s name for this product: _______________________________ • The email notification to the Company Administrator that a sub-user has been MFA Challenged is turned on / off (circle one) • Temporary Access method we have selected: • Security Code MFA Bypass Count set to: ________ • Security Questions with Second Request Security Code Add-on enabled / disabled(circle one) • Security Questions with Reset Security Code Add-on enabled / disabled(circle one) • MFA will be enabled for all our commercial clients / for select ones only(circle one) • Our MFA effective date is: _________ for all commercial clients OR we have set different dates for different clients • Our commercial clients’ sub-users will / will not(circle one) be able to update their own email address (both when MFA is first enabled as well as once they’ve logged in) IMPORTANT: Before you proceed with this webcast, make sure you know what features and setups your financial institution has chosen! Your project lead or manager should have given you information similar to what is outlined above. If you don’t have this information, please obtain it before continuing with this webcast.
Training Scenarios We’ll go through five training scenarios. All scenarios assume you have the “MFA Required” box checked for this commercial client: • Scenario 1: In the FI Admin Platform, your Super User has set the Effective Date = 2 weeks from today. Bryce the Business User logs in. • Scenario 2: Bryce has forgotten the answers to his challenge questions. • Scenario 3: Bailey the Business User is going on a “working vacation” for two weeks. She will be taking along her home laptop, from which she cannot access her business email account. MFA is enabled for her business, and she has already enrolled her regular work computer. • Scenario 4: <Applies to “Security Questions with Reset” only.> Blaine the Business User was out on her honeymoon during the 1-week period your FI allowed before making MFA mandatory for her company. Her company email address changed, but her Company Administrator did not update it in Business Banking. • Scenario 5: <Applies to “Security Code Add-on” only.> Blaine has forgotten her password, and needs to be reset.
Scenario 1 - Introduction Scenario 1: In the FI Admin Platform, your Super User has set the Effective Date = 2 weeks from today. • Bryce the Business User logs in for the first time after your FI has enabled the MFA for this customer with the effective date 2 weeks away. He is presented with the confirm email address screen. • Bryce confirms his email address is correct or updates it if not. • Bryce sets up and confirms his questions and answers. • Bryce continues to log in all week and the next. • Two weeks from today, Bryce logs in and is prompted to enroll that computer in MFA. He does not. • Later in the day, Bryce logs in again from his main work computer. He must answer the Security Questions correctly in order to log in, then enrolls his computer. • WHY? Digital Insight recommends that you DO NOT make the effective date the same date that MFA is enabled. This gives your business users time to confirm or update their email address, as well as give them notice about MFA.
Scenario 1 – Actions 1 & 2 • Bryce the Business User logs in for the first time the day after MFA has been enabled for his business. He is presented with the confirm email address screen. 2. If the address is correct, Bryce clicks Yes. He will not be presented again with this screen upon future logins.
Scenario 1 – Action 2 If the address is incorrect, Bryce clicks No, and the screen refreshes to allow him to change his address (if your FI has checked the box to allow users to change their own email address). He will not be presented again with this screen upon future logins after he updates his address. • Notes: • An email notification is sent to the Company Administrator when a user changes their email address. • If the user clicks on Cancel, they are taken to the Security Question setup screen. They will not be presented with the Change Email Address screen again.
Scenario 1 – Action 2 Note: The user will not be presented with this Change Email Address screen again when logging in. However, they can change their address at any time by going to Administration Login Credentials Change Email Address once they have successfully logged into Business Banking. (If your FI has checked the box to allow users to change their own email address.) If the address is incorrect, the user enters it in both boxes, then clicks on Update and gets a confirmation screen.
Scenario 1 – Action 2 OR – if your FI has not checked the box allowing users to update their own email address, Bryce will see a similar screen with different instructions: Note: If it is the Company Administrator seeing this screen, they will be told to contact their FI administrator. If his address is correct, Bryce clicks on Yes. If it’s incorrect, he clicks on No and then must contact his Company Administrator to update the address. Bryce will not be presented with this screen again.
Scenario 1 – Action 3 1. Bryce is next presented with the MFA Security Questions screen. He picks one question from each set, enters his answers, then clicks on Continue. Note: Because the MFA Effective Date has not been reached, Bryce can choose to “ask me later”. Once the Effective Date is reached, that button will not be present.
Security Questions • The answers must meet the following guidelines: • Answers must have between 2 and 50 characters. • Special Characters allowed: ! @ # $ % ^ & * . ( ) - ? _ ; : , ~ = + / “ • Answers are not case-sensitive. • Each answer must be unique. • The Help with Security Questions link opens a new browser window with a list of frequently asked questions.
Security Questions These are the 25 security questions (your FI cannot change these). Note that they are in sets of 5 – an end user must pick one question from each set.
Scenario 1 – Action 3 2. Bryce confirms his answers. Note: Clicking on Cancel would take Bryce back to the setup screen.
Scenario 1 – Action 4 • Bryce is taken to his Business Banking session. He continues to log in all week and the next. Because the MFA Effective Date hasn’t occurred yet, and because Bryce has already updated and/or confirmed his email address, he will not notice anything different for the rest of the time period. He will not be prompted to enroll his computer in MFA, nor will he be challenged.
Scenario 1 – Action 5 Now it’s the MFA Effective Date. Bryce is logging in from his business partner’s computer and is prompted to enroll this computer. Because of the information about MFA that he received from your FI, he knows he should not enroll his account on this computer. He answers the questions correctly, does NOT check the Enroll box, and clicks Continue. Notes: Bryce’s Company Administrator receives an email that he was challenged. The ‘Why do I need to answer these questions?’ link opens a new browser window with a detailed answer to this question.
Scenario 1 – Action 6 Later in the day, Bryce logs in from his main work computer. Because this computer is not enrolled, he is presented with the Security Question challenge screen. The MFA system choose two questions at random, and Bryce answers them correctly. Bryce wants to enroll this computer now in MFA, so he checks the Enroll box, and clicks Continue. He is taken to his Business Banking session. Note: A cookie is now installed on Bryce’s computer. If he has Macromedia Flash Player installed, an image is also made of that cookie.
Scenario 1 – Enrolling a Computer More Notes on Enrolling: • Once a user enrolls their first computer, the user is now enrolled in the MFA feature. Just setting up the answers to the Security Questions does not enroll the user. • Once a computer/browser is enrolled, the user will see nothing different at future logins to Business Banking from that computer using that browser. • If Bryce the Business User tries to access his Business Banking account from any other computer/browser, he will be presented with the Security Question challenge screen. • If a user has Macromedia Flash Player (MMP) installed (most computers do), then an image will be made of that cookie. The result is that if cookies are deleted on that computer, the computer will NOT be unenrolled in MFA. Otherwise, they will be unenrolled, and will be challenged upon next login.
Security Question Information A Business Banking user will be presented with the screen requesting they enter the Security Question answers in the following situations: • When they attempt to log into Business Banking from an unenrolled computer/browser • If they have cleared their cookies on a previously-enrolled computer and do not have the Multimedia Flash Player installed • If the Company Administrator has reset them (see later in the training) • If the Company Administrator has unenrolled all computers for that user (see later in the training)
Scenario 2a“Security Questions with Second Request” If your FI is not using the “Security Questions with Second Request” option, then skip to Slide 39 – Scenario 2b.
Scenario 2a – Security Questions with Second Request Scenario 2a: It’s a month later, and Bryce is logging in from an unenrolled computer. He has forgotten the answers to his challenge questions. Your FI has chosen the “Security Questions with Second Request”option. This allows users to request a second set of questions if they feel they cannot answer the first set correctly.
Scenario 2a – Security Questions with Second Request A. Bryce looks at the two questions presented and feels he can’t answer them correctly (remember he’s logging in from an unenrolled computer): 1. Bryce clicks on “Request Different Questions”.
Scenario 2a – Security Questions with Second Request A. Bryce feels he can’t answer the questions correctly: 2. The screen refreshes and presents two of the remaining three questions. 3a. Bryce enters the answers correctly, clicks Continue, and is taken to his Business Banking session.
Scenario 2a – Security Questions with Second Request A. Bryce feels he can’t answer the questions correctly: Alternatives to entering this 2nd set of answers correctly: 3b. If Bryce enters the answers incorrectly and clicks Continue, OR 3c. If Bryce clicks on “Request Different Questions” again THEN he is locked out. His Company Administrator will have to reset his account.
Scenario 2a – Security Questions with Second Request B. If Bryce enters the wrong answers on the first try: He gets to try again. But eventually he will be locked out! See the “Bad Login Counter” and “Question Presentment Counter” slides in the “Front-line Staff Pointers” section (starting at p. 72) to learn when the account will be locked out of the system.
Scenario 2b“Security Questions with Reset” If your FI is not using the “Security Questions with Reset” option, then skip to Slide 49 – Scenario 3.
Scenario 2b – Security Questions with Reset Scenario 2b: It’s a month later, and Bryce is logging in from an unenrolled computer. He has has forgotten the answers to his challenge questions. Your FI has chosen the “Security Questions with Reset”option, which is a combination of Security Questions and Security Code.The Security Code is only sent to the Business Banking user if they feel they cannot answer the Security Questions.
Scenario 2b – Security Questions with Reset A. Bryce looks at the two questions presented, and feels he can’t answer them correctly (remember he’s logging in from an unenrolled computer): Bryce clicks on “Change Questions”. A one-time security code is sent via email to his email address on file.
Scenario 2b – Security Questions with Reset A. If Bryce feels he can’t answer the questions correctly: 3. The screen refreshes to display the Security Code Challenge screen. An email is sent to his Company Administrator (if your FI has this enabled). 4. Bryce goes to his email account, does a “copy and paste” of the code to this screen, then clicks on Continue.
Scenario 2b – Security Questions with Reset A. If Bryce feels he can’t answer the questions correctly: 5. Bryce is asked if he wants to enroll this computer in MFA. 6. He either does or does not, then clicks on Continue.
Scenario 2b – Security Questions with Reset A. If Bryce feels he can’t answer the questions correctly: 7. Bryce sets up his Security Questions again. The system does not keep a history of previously entered questions and answers. 8. After clicking on Continue, he sees the confirmation screen, then is taken to his Business Banking session.
Scenario 2b – Security Questions with Reset B. If Bryce enters the wrong answers: He gets to try again. But eventually he will be locked out! See the “Bad Login Counter” and “Question Presentment Counter” slides in the “Front-line Staff Pointers” section (starting at p. 72) to learn when the account will be locked out of the system.
Scenario 2b – Security Questions with Reset C. If Bryce enters an incorrect Security Code (step 5): 6. Bryce is requested to enter the code again. Note that the code displays so he can see if he made a mistake in typing it. Bryce can also click on the link to request a new security code. See the “Bad Login Counter” slide in the “Front-line Staff Pointers” section to learn when the account will be locked out of the system.
Scenario 2b – Security Code Sample Security Code Email
Scenario 2b – Security Code Passcode Requirements: • The passcode is comprised of a series of numbers (default is 6). • The passcode is not case sensitive and may display on the screen in either case. Passcode Timeouts: • The passcode has a 30 minute timeout value from the time that it is generated. If the passcode has not been used within this time period, then the passcode automatically becomes invalid. • Only one passcode is valid at any given time. • If a user requests a new passcode, than all previously issued passcodes become invalid. • Once a user successfully enters a passcode and is able to login, that passcode becomes invalid. • If a user requests a passcode and does not use it (perhaps because they are unable to access their email account) then that passcode will remain good for the duration of the timeout period. If the user attempts to log in again and they require the use of a passcode, and their previous passcode is still valid, the system will not automatically send them another when they reach the Passcode screen. Only if the end user requests a new passcode or if the passcode times out will a new passcode be automatically sent. • Other Information: • A business user can set up 5 email addresses for the security access code to be sent to. The user will select upon challenge which email address they wish to use to receive the passcode. The first and last bullets are new information since the webcast was recorded.
Scenario 3 If you skipped the “Security Questions with Reset” section, you should be here.
Scenario 3 - Introduction Scenario 3: Bailey the Business User is going on a “working vacation” for two weeks. She will be taking along her home laptop, from which she cannot access her business email account. MFA is enabled for her business, the Effective Date has passed, and she has already enrolled her regular work computer. • Bailey changes her email address in Business Banking to one she can access via a web mail account. OR If your FI will not allow users to change their own address, her Company Administrator does it for her. <This is only important if your FI is using “Security Questions with Reset”> • Bailey logs in for the first time from her laptop and is presented with the Security Questions screen. She enrolls this computer at the same time. • She decides to change her Security Questions answers, because while she could answer the two she was presented with, she wasn’t completely sure of them. • Bailey continues to log in for the next two weeks. • When she returns home, she is not planning to use that laptop again for work, so she unenrolls that computer.