P 1 Multifactor Authentication for Business Banking Customer Platform: Certification Webcast for Security Questions Laura Sund Martin Digital Insight University

p 1

Multifactor Authentication for Business Banking Customer Platform:

Certification Webcast for Security Questions

Laura Sund Martin

Digital Insight University

Business Banking v. 4.16

© 2010 Digital Insight, an Intuit company. May not be reproduced in whole or in part without written permission.

p 2MFA for BB – Customer Platform – Security Questions Certification Webcast

Note that you’ve got controls along the bottom of the webcast window. You can pause the webcast if you need to take a short break, rewind to review, forward, or stop.

This webcast is best viewed with Media Player 10 or higher and the Replay Wrapper installed. If you don’t see a list of the slides on the left side of your screen, you don’t have the Replay Wrapper installed. See next slide for how to install both MP10 and the Replay Wrapper.

If you need to stop the webcast and finish it at a later time, note that the slide names/numbers appear in a window to the left. When you access the webcast later, simply scroll to the name of the next slide from where you left off. It will take a moment to jump to that spot, and then you are on your way!

Some Recorded Webcast Pointers



Some Recorded Webcast Pointers

If you don’t have the dropdown menu showing the slide deck, stop the recording, return to this screen, and install the Replay Wrapper. You must have Media Player 10 to install the Wrapper.



Did you know…there are 3-4 ways to change the volume on your computer for a webcast?? If you are having problems hearing my voice, please hit your PAUSE button and check the following:

The Windows Media Player softwareYou have a volume control (typically a slide bar) at the bottom of your Player window.

Your computer softwareIf you’re using Windows, in the lower right corner you should have a sound control icon . Double click on this, and check the following: 1) everything should be set a maximum and 2) none of the “mute” options are checked.

Your computer’s sound cardOn your computer (especially if it’s a laptop), the sound card may have a volume control. Feel or look around your computer to see if there is a volume control.

External speaker controlThis is the most obvious one and you’ve probably already thought of it!

If you have adjusted all those settings, and experience normal audio volumes listening to other sources of pc audio (go to another site, like www.cnn.com to test it out), then please contact Microsoft Customer Support at 866-493-2825 and they can work further with you.

Some Volume Pointers



Overall Objective:This webcast will train you on how your business users will use multifactor

authentication (MFA) to increase their login security, and how to track MFA activity in the FI Admin Platform.

Specifically we will cover:

What multifactor authentication is How business users enroll and unenroll in MFA How enrolled users log in MFA features for Company Administrators How FI administrators use FI Admin Platform to create reports on MFA

Session Objectives – Security Questions Webcast

Please note that this webcast is for financial institutions offering the Security Questions option for MFA!



We have designed this MFA Security Questions training for multiple employees at your financial institution:

If you are a cash management specialist or service rep who needs to talk to your commercial clients about MFA but will NOT be using the FI Admin Platform, you’ll complete through slide 73. The trainer will remind you at that point that you can exit the webcast.

If you are an FI admin who will be using the FI Admin Platform, you’ll complete the entire webcast.

If you are the Project Lead, be sure you view the Enablement Webcast before you view this one!

Completing this Training

p 7

Product Overview

If you have already viewed the Enablement Webcast, skip

to slide 15 “Using MFA on the Commercial Customer Platform”.



In the fall of 2005, the Federal Financial Institutions Examination Council (FFIEC), the regulators overseeing banks and credit unions, communicated that passwords alone will no longer be acceptable as the sole means of achieving online security. Multifactor authentication (MFA) was the recommended solution.

MFA requires online users to provide something additional beyond today’s username and password to login. This enhanced security means that even if a user has their password stolen in a phishing attack or by malicious software, the fraudster cannot access online accounts because they do not possess the additional factors needed, which are harder to steal. By offering MFA our clients can give their consumers and businesses peace of mind when using online products and services.

Why MFA?

So why are we doing this?? To protect your end users’ sensitive information!



After your FI has enabled MFA:

1. Business Banking user logs into Business Banking.

2. User must choose five security questions and enter answers for each.

3. User can choose to enroll the computer they are currently using in MFA.

a. If they do – the next time they log in, they will see nothing different.

b. If they do not – the next time they are logged in, they will be presented with the Security Question screen, displaying two of their five questions.

Security Question options:

Your FI has chosen one of two options: “Security Questions with Second Request” – if the user feels they cannot answer

the first two questions they are presented with, they can request different questions.

“Security Questions with Reset” – if the user feels they cannot answer the first two questions they are presented with, they can request a one-time security code to be sent via email to their email address on file. They must set up their questions again upon next login.

Basic MFA Steps

These two options are similar enough to cover in one training. However, you will find a few “skips” for sections that pertain to only one or the other.



Terms & Definitions

Single Armored authentication – The process of authenticating user credentials where the only credentials authenticated are the User ID and password.

MFA – Multifactor Authentication. The process adds an additional credential to be authenticated. Enhanced Login Security – This is the default feature label for the MFA product. You will be

allowed to choose a different name if you desire.

Enroll a Computer – The process whereby a user chooses to define a particular computer as their additional factor for purposes of authentication. A cookie is installed on the computer.

Un-enroll a Computer – Where a user removes the computer as the additional factor. Enrolled User – Any user who has opted in to the MFA feature. First time enrollment is

accomplished when the user has successfully enrolled their first computer .

Credentials – Data elements that are needed in order to log in. This may include User ID, password, and browser cookie as well as Company Id and Company password.

Factors – Data elements that are required to log in above and beyond User ID. These factors may include password, browser cookie and email Security Code.

Temporary Access – Login where the user is enabled for the MFA Required feature and is attempting to log in from a computer that has not been recognized.

Invalid Cookie – a cookie that does not match the user credentials or as cookie that has been expired or marked invalid by the MFA system.



Terms & Definitions

Security Questions – A set of questions and answers generated by the end user when they first enroll in MFA. Answering these questions allows an MFA user to initiate a Business Banking session via Temporary Access.

Security Questions with Second Request – With Temporary Access, if the user feels they cannot answer the first set of questions presented, they may request another set.

Security Questions with Reset – With Temporary Access, if the user feels they cannot answer the first set of questions presented, they may request to reset their questions. A security code is emailed to them, which they must use to log in.

FI – Financial institution

FI admin – an FI employee who is responsible for managing, overseeing, reporting on, etc. a particular product. There may be 1 or more FI admins per product at an FI.

Front-line Staff – FI employees who communicate with commercial clients, e.g. cash management specialists or customer service reps.



Fraud Prevention: Strong Authentication

• Passwords• PINs• Secrets, etc.

• Computers• Phone / PDA• E-mail passcode

• Fingerprints• Iris scans• Voice prints, etc.

Know Have Are



Why a browser cookie-based approach?

Strong security with minimal effort by end user Always requires a second factor of authentication (something you have)

Cookie credential or security question answers Signup straightforward and fast

Non-intrusive No change from today’s login experience when using primary computers No change in browser settings required

Preserves “access anywhere” ability of business banking Temporary access method



Bus Banking MFA : Using the computer as the 2nd factor

On computer of user’s choice, a unique, secure device ID will be placed in the browser of the user’s PC

Links the computer to the user for login During subsequent logins, Digital Insight will check for

both correct password & matching device ID If user logs in from an enrolled PC, then no change

from current login experience If device ID is not present or mismatched, login is

only allowed user answers security questions correctly

No limit on number of computers a user can enroll

Business Banking Site

Business Banking Site

IDIDIDID

IDIDIDID

IDIDIDID

Laptop PC

Workroom PC

User#2

User#1

p 15

Using MFA on the Commercial Customer Platform



1. Our financial institution’s name for this product: _______________________________

2. The email notification to the Company Administrator that a sub-user has been MFA Challenged is turned on / off (circle one)

3. Temporary Access method we have selected:

Security Code

MFA Bypass Count set to: ________

Security Questions with Second Request

Security Code Add-on enabled / disabled (circle one)

Security Questions with Reset

Security Code Add-on enabled / disabled (circle one)

4. MFA will be enabled for all our commercial clients / for select ones only (circle one)

5. Our MFA effective date is: _________ for all commercial clients OR we have set different dates for different clients

6. Our commercial clients’ sub-users will / will not (circle one) be able to update their own email address (both when MFA is first enabled as well as once they’ve logged in)

MFA Setup for Commercial Clients

IMPORTANT: Before you proceed with this webcast, make sure you know what features and setups your financial institution has chosen! Your project lead or manager should have given you information similar to what is outlined above. If you don’t have this information, please obtain it before continuing with this webcast.



We’ll go through five training scenarios. All scenarios assume you have the “MFA Required” box checked for this commercial client:

Scenario 1: In the FI Admin Platform, your Super User has set the Effective Date = 2 weeks from today. Bryce the Business User logs in.

Scenario 2: Bryce has forgotten the answers to his challenge questions.

Scenario 3: Bailey the Business User is going on a “working vacation” for two weeks. She will be taking along her home laptop, from which she cannot access her business email account. MFA is enabled for her business, and she has already enrolled her regular work computer.

Scenario 4: <Applies to “Security Questions with Reset” only.> Blaine the Business User was out on her honeymoon during the 1-week period your FI allowed before making MFA mandatory for her company. Her company email address changed, but her Company Administrator did not update it in Business Banking.

Scenario 5: <Applies to “Security Code Add-on” only.> Blaine has forgotten her password, and needs to be reset.

Training Scenarios

p 18

Scenario 1



Scenario 1: In the FI Admin Platform, your Super User has set the Effective Date = 2 weeks from today.

1. Bryce the Business User logs in for the first time after your FI has enabled the MFA for this customer with the effective date 2 weeks away. He is presented with the confirm email address screen.

2. Bryce confirms his email address is correct or updates it if not.

3. Bryce sets up and confirms his questions and answers.

4. Bryce continues to log in all week and the next.

5. Two weeks from today, Bryce logs in and is prompted to enroll that computer in MFA. He does not.

6. Later in the day, Bryce logs in again from his main work computer. He must answer the Security Questions correctly in order to log in, then enrolls his computer.

WHY? Digital Insight recommends that you DO NOT make the effective date the same date that MFA is enabled. This gives your business users time to confirm or

update their email address, as well as give them notice about MFA.

Scenario 1 - Introduction



1. Bryce the Business User logs in for the first time the day after MFA has been enabled for his business. He is presented with the confirm email address screen.

Scenario 1 – Actions 1 & 2

2. If the address is correct, Bryce clicks Yes. He will not be presented again with this screen upon future logins.



If the address is incorrect, Bryce clicks No, and the screen refreshes to allow him to change his address (if your FI has checked the box to allow users to change their own email address). He will not be presented again with this screen upon future logins after he updates his address.

Scenario 1 – Action 2

Notes:

1. An email notification is sent to the Company Administrator when a user changes their email address.

2. If the user clicks on Cancel, they are taken to the Security Question setup screen. They will not be presented with the Change Email Address screen again.




If the address is incorrect, the user enters it in both boxes, then clicks on Update and gets a confirmation screen.

Note: The user will not be presented with this Change Email Address screen again when logging in. However, they can change their address at any time by going to Administration Login Credentials Change Email Address once they have successfully logged into Business Banking. (If your FI has checked the box to allow users to change their own email address.)



OR – if your FI has not checked the box allowing users to update their own email address, Bryce will see a similar screen with different instructions:


If his address is correct, Bryce clicks on Yes. If it’s incorrect, he clicks on No and then must contact his Company Administrator to update the address. Bryce will not be presented with this screen again.

Note: If it is the Company Administrator seeing this screen, they will be told to contact their FI administrator.



1. Bryce is next presented with the MFA Security Questions screen. He picks one question from each set, enters his answers, then clicks on Continue.


Note: Because the MFA Effective Date has not been reached, Bryce can choose to “ask me later”. Once the Effective Date is reached, that button will not be present.



Security Questions

The answers must meet the following guidelines:

Answers must have between 2 and 50 characters.

Special Characters allowed: ! @ # $ % ^ & * . ( ) - ? _ ; : , ~ = + / “

Answers are not case-sensitive.

Each answer must be unique.

The Help with Security Questions link opens a new browser window with a list of frequently asked questions.



These are the 25 security questions (your FI cannot change these). Note that they are in sets of 5 – an end user must pick one question from each set.

Security Questions



2. Bryce confirms his answers.


Note: Clicking on Cancel would take Bryce back to the setup screen.



Bryce is taken to his Business Banking session. He continues to log in all week and the next. Because the MFA Effective Date hasn’t occurred yet, and because Bryce has already updated and/or confirmed his email address, he will not notice anything different for the rest of the time period. He will not be prompted to enroll his computer in MFA, nor will he be challenged.




Now it’s the MFA Effective Date. Bryce is logging in from his business partner’s computer and is prompted to enroll this computer. Because of the information about MFA that he received from your FI, he knows he should not enroll his account on this computer. He answers the questions correctly, does NOT check the Enroll box, and clicks Continue.


Notes:

1. Bryce’s Company Administrator receives an email that he was challenged.

2. The ‘Why do I need to answer these questions?’ link opens a new browser window with a detailed answer to this question.




Later in the day, Bryce logs in from his main work computer. Because this computer is not enrolled, he is presented with the Security Question challenge screen. The MFA system choose two questions at random, and Bryce answers them correctly.

Bryce wants to enroll this computer now in MFA, so he checks the Enroll box, and clicks Continue. He is taken to his Business Banking session.

Note: A cookie is now installed on Bryce’s computer. If he has Macromedia Flash Player installed, an image is also made of that cookie.



Scenario 1 – Enrolling a Computer

More Notes on Enrolling:

1. Once a user enrolls their first computer, the user is now enrolled in the MFA feature. Just setting up the answers to the Security Questions does not enroll the user.

2. Once a computer/browser is enrolled, the user will see nothing different at future logins to Business Banking from that computer using that browser.

3. If Bryce the Business User tries to access his Business Banking account from any other computer/browser, he will be presented with the Security Question challenge screen.

4. If a user has Macromedia Flash Player (MMP) installed (most computers do), then an image will be made of that cookie. The result is that if cookies are deleted on that computer, the computer will NOT be unenrolled in MFA. Otherwise, they will be unenrolled, and will be challenged upon next login.



Security Question Information

A Business Banking user will be presented with the screen requesting they enter the Security Question answers in the following situations:

When they attempt to log into Business Banking from an unenrolled computer/browser

If they have cleared their cookies on a previously-enrolled computer and do not have the Multimedia Flash Player installed

If the Company Administrator has reset them (see later in the training)

If the Company Administrator has unenrolled all computers for that user (see later in the training)

p 33

Scenario 2a“Security Questions with

Second Request”

If your FI is not using the “Security Questions with Second

Request” option,then skip to Slide 39 – Scenario 2b.



Scenario 2a – Security Questions with Second Request

Scenario 2a: It’s a month later, and Bryce is logging in from an unenrolled computer. He has forgotten the answers to his challenge questions. Your FI has chosen the “Security Questions with Second Request” option. This allows users to request a second set of questions if they feel they cannot answer the first set correctly.




1. Bryce clicks on “Request Different Questions”.

A. Bryce looks at the two questions presented and feels he can’t answer them correctly (remember he’s logging in from an unenrolled computer):




2. The screen refreshes and presents two of the remaining three questions.

3a. Bryce enters the answers correctly, clicks Continue, and is taken to his Business Banking session.

A. Bryce feels he can’t answer the questions correctly:




Alternatives to entering this 2nd set of answers correctly:

3b. If Bryce enters the answers incorrectly and clicks Continue, OR

3c. If Bryce clicks on “Request Different Questions” again

THEN he is locked out. His Company Administrator will have to reset his account.

A. Bryce feels he can’t answer the questions correctly:




B. If Bryce enters the wrong answers on the first try:

He gets to try again. But eventually he will be locked out!

See the “Bad Login Counter” and “Question Presentment Counter” slides in the “Front-line Staff Pointers” section (starting at p. 72) to learn when the account will be locked out of the system.

p 39

Scenario 2b“Security Questions with Reset”

If your FI is not using the “Security Questions with Reset” option,

then skip to Slide 49 – Scenario 3.



Scenario 2b – Security Questions with Reset

Scenario 2b: It’s a month later, and Bryce is logging in from an unenrolled computer. He has has forgotten the answers to his challenge questions. Your FI has chosen the “Security Questions with Reset” option, which is a combination of Security Questions and Security Code. The Security Code is only sent to the Business Banking user if they feel they cannot answer the Security Questions.




A. Bryce looks at the two questions presented, and feels he can’t answer them correctly (remember he’s logging in from an unenrolled computer):

1. Bryce clicks on “Change Questions”.

2. A one-time security code is sent via email to his email address on file.




A. If Bryce feels he can’t answer the questions correctly:

3. The screen refreshes to display the Security Code Challenge screen. An email is sent to his Company Administrator (if your FI has this enabled).

4. Bryce goes to his email account, does a “copy and paste” of the code to this screen, then clicks on Continue.





5. Bryce is asked if he wants to enroll this computer in MFA.

6. He either does or does not, then clicks on Continue.





7. Bryce sets up his Security Questions again. The system does not keep a history of previously entered questions and answers.

8. After clicking on Continue, he sees the confirmation screen, then is taken to his Business Banking session.




B. If Bryce enters the wrong answers:

He gets to try again. But eventually he will be locked out!

See the “Bad Login Counter” and “Question Presentment Counter” slides in the “Front-line Staff Pointers” section (starting at p. 72) to learn when the account will be locked out of the system.




C. If Bryce enters an incorrect Security Code (step 5):

6. Bryce is requested to enter the code again. Note that the code displays so he can see if he made a mistake in typing it.

Bryce can also click on the link to request a new security code.

See the “Bad Login Counter” slide in the “Front-line Staff Pointers” section to learn when the account will be locked out of the system.



Scenario 2b – Security Code

Sample Security Code Email



Scenario 2b – Security Code

Passcode Requirements: The passcode is comprised of a series of numbers (default is 6). The passcode is not case sensitive and may display on the screen in either case.

Passcode Timeouts: The passcode has a 30 minute timeout value from the time that it is generated. If the passcode

has not been used within this time period, then the passcode automatically becomes invalid. Only one passcode is valid at any given time. If a user requests a new passcode, than all previously issued passcodes become invalid. Once a user successfully enters a passcode and is able to login, that passcode becomes invalid. If a user requests a passcode and does not use it (perhaps because they are unable to access

their email account) then that passcode will remain good for the duration of the timeout period. If the user attempts to log in again and they require the use of a passcode, and their previous passcode is still valid, the system will not automatically send them another when they reach the Passcode screen. Only if the end user requests a new passcode or if the passcode times out will a new passcode be automatically sent.

Other Information: A business user can set up 5 email addresses for the security access code to be sent to. The

user will select upon challenge which email address they wish to use to receive the passcode.

The first and last bullets are new information since the webcast was recorded.

p 49

Scenario 3

If you skipped the“Security Questions with Reset” section,

you should be here.



Scenario 3: Bailey the Business User is going on a “working vacation” for two weeks. She will be taking along her home laptop, from which she cannot access her business email account. MFA is enabled for her business, the Effective Date has passed, and she has already enrolled her regular work computer.

1. Bailey changes her email address in Business Banking to one she can access via a web mail account. OR If your FI will not allow users to change their own address, her Company Administrator does it for her. <This is only important if your FI is using “Security Questions with Reset”>

2. Bailey logs in for the first time from her laptop and is presented with the Security Questions screen. She enrolls this computer at the same time.

3. She decides to change her Security Questions answers, because while she could answer the two she was presented with, she wasn’t completely sure of them.

4. Bailey continues to log in for the next two weeks.

5. When she returns home, she is not planning to use that laptop again for work, so she unenrolls that computer.

Scenario 3 - Introduction



1. <If your FI is using “Security Questions with Reset”> Bailey changes her email address in Business Banking to one she can access via a web mail account. OR If your FI will not allow users to change their own address, her Company Administrator does it for her.

If Bailey is allowed to do it herself, she goes to Administration Login Credentials Change Email Address.


Note: If Bailey is not allowed to do it herself, her Company Administrator goes to Administration User Maintenance and changes it for her.



2. Bailey logs in for the first time from her laptop and is presented with the Security Question screen. She enters her answers. Before she clicks on Continue, she checks the “Enroll this Computer for Future Use” box, since she will be using this computer for the next two weeks and it’s not a public computer.


This works the same way as when she enrolled her work computer (see Scenario 1).

Remember that if she doesn’t think she can answer, she can click on “Request Different Questions” (if your FI has the “Security Questions with Second Request” option) OR “Change Questions” (if your FI has the “Security Questions with Reset” option)



3. Bailey wants to change her Security Question answers. Administration Login Credentials Maintain Security Questions.




Bailey chooses five questions and enters her answers, then click on Continue. She is taken to the confirmation screen (see Scenario 1).


Notes:

1. All five questions must be selected and all five answers must be entered. Users do not have the ability to change a select number of questions; it is either all or none.

2. None of her previous answers are remembered, so she can reuse answers.

3. Click the ‘reset’ button to remove all entries on the screen.



4. Bailey continues to log in for the next two weeks. Because she has enrolled this computer, she is taken straight to her Business Banking session after she enters the required login information.




5. Back home, Bailey is not planning to use that laptop again for work, so she unenrolls that computer by going to Administration Login Credentials Unenroll Computers. The system removes the cookie and the Macromedia Player (MMP) object from her browser.


Notes:

1. Bailey is still enrolled in MFA! So if she logs in again from this or any unenrolled computer, she will not be allowed into her Business Banking session until she answers the security questions.

2. She should only select this option if she is not going to be using this computer for Business Banking again.

3. This ‘Unenroll Computers’ section will only display if your financial institution has enabled MFA for the company and the ‘MFA Effective Date’ has been reached.

4. Deleting a computer’s cookies also unenrolls that computer (unless the user has the Multimedia Flash Player installed).



Users select the second option to unenroll all computers from MFA. The system removes/invalidates the cookie from the user’s browser on this computer, and invalidates the cookies on any other registered computers (plus the MMP objects, if present).

Unenroll from the System

Note: As long as MFA is enabled for this client, a user who unenrolls all computers will be challenged each time they log into Business Banking.

p 58

Scenario 4“Security Questions with Reset”

If your FI is not using“Security Questions with Reset”,

skip to Slide 63 – Scenario 5.



Scenario 4: Blaine the Business User was out on her honeymoon during the 1-week your FI allowed before making MFA mandatory for her company. Her company email address changed, but her Company Administrator did not update it in Business Banking.

1. Blaine returns to work and attempts to log into Business Banking.


This scenario only applies if your FI is using “Security Questions with Reset” option.



2. The MFA Effective Date has passed, so Blaine is NOT prompted with the Email Confirmation screen. Instead, she is presented with the Security Questions screen. She sets up her questions and answers but is in a hurry, so neglects to enroll her computer.


Note that the “Ask Me Later” button is gone, since the Effective Date has passed.



3. The next day, Blaine tries to log in again. She has forgotten her answers, so she clicks on “Change Questions”.




WHY? It’s critical that you educate your Company Administrators about the importance of email addresses. They must make sure that everyone’s address is correct.

Scenario 4 – Actions 4 & 54. The system tells her to get her Security Code from her email account. However,

when she checks her (new) email, the security code is not in her inbox.

5. Blaine is stuck – she cannot get into her Business Banking account because her email address as stored in Business Banking is incorrect. She must contact her company admin and have him change her email address. Then she can try again.

p 63

Scenario 5“Security Code Add-on”

If your FI is not using“Security Code Add-on”,

skip to Slide 72 – Front-lineStaff Pointers.



Scenario 5 – Introduction

Security Code Add-on Information:

Your financial institution has chosen to require certain users to enter a Security Code in order to access Business Banking.

This means that: once the MFA Effective Date has been reached for any user who does not have a valid cookie in their browser AND does not

have security questions setup in the system (because the user is new or the security questions have been reset)

the next time they log into their Business Banking account, they will be challenged to enter a Security Code.

Because this code is emailed to them, the Company Administrator must be sure when setting up or resetting a user that their email address is accurate.

This scenario only applies if your FI has checked “Security Code Add-on” option.



Scenario 5 – Introduction

Scenario 5: Blaine has forgotten her password and the Company Administrator must reset her.

1. Blaine logs in and is presented with the Security Code screen. She goes to her email account, and does a “copy and paste” to enter the code on this screen.

2. She must set up the answers to her security questions again.

3. She checks the box to re-enroll this computer.

4. She must change her password.

5. Blaine now can access Business Banking.

Note: When a user is reset, their password and their answers to the Security Questions are deleted from the database, and all computers are unenrolled from MFA.

This scenario also works for setting up new users (once the MFA Effective Date has been reached), i.e. new users will also follow this scenario flow upon first login.




1. Blaine logs in and is presented with the Security Code screen. She goes to her email account, and does a “copy and paste” to enter the code on this screen, then clicks Continue.




2. Blaine sets up her Security Questions again. The system does not keep a history of previously entered questions and answers. After clicking on Continue, she sees the confirmation screen.




3. She checks the box to re-enroll this computer.




4. Blaine is required to change her password. Once changed, she is taking to her Business Banking session.



Scenario 5 – Security Code

Sample Security Code Email

Note: These next two slides are repeated from Scenario 2b.



Scenario 5 – Security Code

Passcode Requirements: The passcode is comprised of a series of numbers (default is 6). The passcode is not case sensitive and may display on the screen in either case.

Passcode Timeouts: The passcode has a 30 minute timeout value from the time that it is generated. If the passcode

has not been used within this time period, then the passcode automatically becomes invalid. Only one passcode is valid at any given time. If a user requests a new passcode, than all previously issued passcodes become invalid. Once a user successfully enters a passcode and is able to login, that passcode becomes invalid. If a user requests a passcode and does not use it (perhaps because they are unable to access

their email account) then that passcode will remain good for the duration of the timeout period. If the user attempts to log in again and they require the use of a passcode, and their previous passcode is still valid, the system will not automatically send them another when they reach the Passcode screen. Only if the end user requests a new passcode or if the passcode times out will a new passcode be automatically sent.

Other Information: A business user can set up 5 email addresses for the security access code to be sent to. The

user will select upon challenge which email address they wish to use to receive the passcode.

The first and last bullets are new information since the webcast was recorded.

p 72

Front-Line Staff Pointers



Front-Line Staff Pointers for Security Questions

Security Q&A requests may generate a large number of calls to your FI.

Some things for you to keep in mind:

1) It’s common to suggest to users having Business Banking issues that they clear their cache and cookies. BUT – you need to understand that for a user who is enrolled in MFA, doing so will unenroll that computer unless they have the Multimedia Flash Player installed. You should warn them that they will be presented with the Temporary Access screen to answer Security Questions and/or add the extra security protection once they have cleared their cookies in an attempt to solved the other issue.

2) You can no longer ask an enrolled user for their username and password in order for you to recreate the issue because now you will get challenged. Under no circumstances should you ask the user for their security question answers so that you can access their site. Solution: If you want to recreate the issue, you can disable the MFA feature for this commercial client in the FI Admin Platform (if the user agrees), as this will remove the additional security validation to allow you to log in and troubleshoot. You can then re-enable the feature. Note: The business users will not be MFA Challenged as long as the user’s cookie is still valid.

Digital Insight University has created Quick Tip sheets for you. Talk to your manager or MFA project lead to obtain these.



More details about the Bad Login Counter (BLC):

A ‘Bad Login’ occurs whenever an invalid credential is presented during the Business Banking login process. When the Bad Login count threshold of 5 is reached, the user is locked out of the system. A Company Administrator or FI Admin administrator must unlock or reset the user’s account before they can access the system again.

If one of the following invalid login events occurs, the bad login count will increment by one for each instance:

Incorrect company password

Incorrect user password

Computer is not recognized - No cookie or invalid cookie installed

Invalid answer - for Security Questions

Security Code expired <If your FI is using “Security Questions with Reset”>

Security Code incorrect <If your FI is using “Security Questions with Reset”>

Security Questions changed – ‘change questions’ button selected <If your FI is using “Security Questions with Reset”>

Security Questions requested – ‘request different questions’ button selected <If your FI is using “Security Questions with Second Request”>

Bad Login Counter

The business user’s Bad Login count is reset to zero when they successfully log into the Business Banking application.



More details about the Question Presentment Counter (QPC):

A ‘Question Presentment’ occurs whenever a set of questions is presented to the user on the Security Questions Validation screen.

For each presentment, the counter will increment by one.

When the threshold of 2 is reached and the user cannot submit valid answers, the user is locked out of the system. A Company Administrator or FI Admin administrator must unlock or reset the user’s account before they can access the system again.

<If your FI is using “Security Questions with Second Request”> With the ‘request different questions’ button, users will be locked out of the system if the second set of questions are not answered or if the ‘request different questions’ button is clicked again.

Question Presentment Counter

The business user’s Question Presentment count is reset to zero when they successfully log into the Business Banking application.



SO – here are some scenarios where a user could get locked out:

Security Questions with Second Request:

User cannot answer first set of questions (QPC=1), clicks on “Request Different Questions” (QPC=2) and cannot answer them.

User logs in from an unenrolled computer (BLC=1), gets questions screen and tries to answer the questions but cannot (BLC=2), clicks on “Request Different Questions” (BLC=3), tries to answer those questions two times (BLC=4 & 5).

Security Questions with Reset:

User logs in from an unenrolled computer (BLC=1), gets questions screen and tries to answer the questions but cannot (BLC=2), clicks on “Reset Questions” (BLC=3), cannot get to their email so the Security Code expires (BLC=4). Gets email situation resolved, logs in again from the unenrolled computer (BLC=5).

User logs in from an unenrolled computer (BLC=1), gets questions screen and tries to answer the questions but cannot (BLC=2), clicks on “Reset Questions” (BLC=3), cannot get to their email so the Security Code expires (BLC=4). Gets email situation resolved while still on this screen so requests a new Security Code, but types it in wrong (BLC=5).

Counter Examples

p 77

Company Administrator MFA Features



Three features related to MFA are available to the Company Administrator on the User Maintenance Screen: (Note: The options are not visible until the MFA Effective Date has been reached.)

Company Administrator Features



Reset Login Credentials: This feature allows the Company Administrator the ability to reset and invalidate the selected user’s password, security questions, and computer/cookies (including the Multimedia Flash Player cookie image). The Company Administrator must enter and confirm a new password prior to clicking the reset login credentials button.

If the Company Administrator resets the user’s login credentials, the user will be required to change their password, create new security questions, and will be presented with the option to add extra security protection to their computer.

Unenroll Computers: This feature allows the Company Administrator to delete/invalid a sub user’s cookies/computer (including the Multimedia Flash Player cookie image).

Reset Security Questions: Selecting this button will reset a selected user’s existing security questions. The user will be presented with the Create Security Question screen on their next login.

Company Administrator Features

Notes:

1. The change password feature functions independently of the Reset Login Credentials and Unenroll Computers features. **In other words, using Administration > Login Credentials > Change User Password will not reset a user’s cookies or security questions.**

2. These same buttons are available on the FI Admin Platform for each customer. In that case, these options reset/unenroll for the Company Administrator.



Administration > User Maintenance > Reset Login Credentials This feature allows the Company Administrator the ability to reset a sub user’s

password and invalidate the cookies/computers (including the Multimedia Flash Player cookie image) that the sub user had previously enrolled.

Why? If a computer is lost or stolen, a user does not remember their password, a user is on vacation and the CA doesn’t want them accessing BB, or a user has left the company.

Results: The Sub User has no enrolled computers (if successful; if failed, some or all

computers are still enrolled). The Sub User will be required to change their password and enroll their computer(s) upon their next login attempt.

The Sub User password has been reset and the user will be prompted to change their password.

Reset Login Credentials

Warning Message:

You are about to reset the user password and unenroll all of their computers/cookies. The user will be required to change their password and enroll their computer(s) at the next login attempt. Are you sure you want to reset the user’s password and computer(s)?

Confirmation Message:

The User password have been reset. All enrolled browsers for all computers have been successfully unenrolled from the Enhanced Login Security feature for the user selected.



Administration > User Maintenance > Unenroll Computers This feature allows the Company Administrator to delete/invalid a sub user’s

cookies/computer (including the Multimedia Flash Player cookie image). Why? similar reasons to the previous slide. Note that this does not reset the

password. Results: The Sub User has no enrolled computers (if successful; if failed, some or

all computers are still enrolled). The Sub User will be required to enroll their computer(s) upon their next login attempt.

Unenroll Computers

Warning Message:

You are about to reset the user’s computers/cookies. The user will be required to enroll their computers at the next login attempt. Are you sure you want to reset the selected user’s computers?

Confirmation Message:

The user’s computer(s) have been reset. All enrolled browsers on all computers have been successfully unenrolled from the Enhanced Login Security feature for the user selected.

p 82

MFA Reporting & Other FIAP Enhancements

This is the end of the Customer Platform section.

If you will not be using the FI Admin Platform, you may EXIT the webcast now.

Thank you for attending!



The following Transaction Types (Customer Platform = Administration Activity Reporting, FI Admin Platform = Billing & Reporting Customer Activity Reporting) are affected by MFA.

Non-MFA-Specific Transaction Types that contain MFA information:1. Bad login (see earlier slide)2. Usermaint modified

MFA Transaction Types:1. Unenroll computer2. All computers unenrolled3. New security code sent4. One time security code entered5. Computer enrolled6. Login authenticated7. User challenged8. User computers unenrolled9. Login credentials reset10.Email address confirmed11.Changed email address12.Questions created13.Questions requested14.Questions changed15.Questions answered

MFA Reporting

See the Business Banking user guides for details

about each type.



There are four other features in the FI Admin Platform specific to MFA:

1. For the Security Code emails that get sent – the “Reply To” address is configurable by the FI via Communications > Email Workflow Routing feature. (The “From” email address is [email protected] .)

2. The verbiage of the Confidential statement is configurable via Communications > Messages > MFA Confidential for the following email notifications:

• The Auto Generated Email Notification with the Security Code

• The Company Administrator Email Notification

3. Change Email Address screen: The FI can define a default message for this page via Communications > Messages > Change Email Address.

4. Refer back to slides 70-71 for the Reset and Unenroll options.

Other FIAP Features for MFA

p 85

Wrap Up



Overall Objective:This webcast trained you on how your business users will use multifactor

authentication (MFA) to increase their login security, and how to track MFA activity in the FI Admin Platform.

Specifically we covered:

What multifactor authentication is How business users enroll and unenroll in MFA How enrolled users log in MFA features for Company Administrators How FI administrators use FI Admin Platform to create reports on MFA

Session Objectives



Webcast Survey

Your feedback is valuable to us! Please take a minute to complete the webcast survey at www.customersat3.com/csc/di/wod.asp

(You must access this page by clicking on the hyperlink on the next slide.)

Your trainer’s name: __________________________

We value your comments – please let us know:

if this webcast provided valuable information to you

how the trainer presented the material NOTE: The survey will notautomatically open when Igo to the next screen! You

must click on the hyperlink there.



Webcast Survey

On the survey, select “Security Webcast” and enter “MFA for BB – Questions” (or something close to that!) for the Topic.



Slide Title

http://www.customersat3.com/csc/di/wod.asp

Documents

P 1 Multifactor Authentication for Business Banking Customer Platform: Certification Webcast for Security Questions Laura Sund Martin Digital Insight University