590 likes | 674 Views
Multifactor Authentication for Business Banking Customer Platform: Certification Webcast for Security Code. Laura Sund Martin Digital Insight University. Business Banking v. 4.16. Some Recorded Webcast Pointers.
E N D
Multifactor Authentication for Business Banking Customer Platform:Certification Webcast for Security Code Laura Sund Martin Digital Insight University Business Banking v. 4.16
Some Recorded Webcast Pointers • Note that you’ve got controls along the bottom of the webcast window. You can pause the webcast if you need to take a short break, rewind to review, forward, or stop. • This webcast is best viewed with Media Player 10 or higher and the Replay Wrapper installed. If you don’t see a list of the slides on the left side of your screen, you don’t have the Replay Wrapper installed. See next slide for how to install both MP10 and the Replay Wrapper. • If you need to stop the webcast and finish it at a later time, note that the slide names/numbers appear in a window to the left. When you access the webcast later, simply scroll to the name of the next slide from where you left off. It will take a moment to jump to that spot, and then you are on your way!
Some Recorded Webcast Pointers • If you don’t have the dropdown menu showing the slide deck, stop the recording, return to this screen, and install the Replay Wrapper. You must have Media Player 10 or higher to install the Wrapper.
Some Volume Pointers • Did you know…there are 3-4 ways to change the volume on your computer for a webcast?? If you are having problems hearing my voice, please hit your PAUSE button and check the following: • The Windows Media Player software • You have a volume control (typically a slide bar) at the bottom of your Player window. • Your computer software • If you’re using Windows, in the lower right corner you should have a sound control icon . Double click on this, and check the following: 1) everything should be set a maximum and 2) none of the “mute” options are checked. • Your computer’s sound card • On your computer (especially if it’s a laptop), the sound card may have a volume control. Feel or look around your computer to see if there is a volume control. • External speaker control • This is the most obvious one and you’ve probably already thought of it! • If you have adjusted all those settings, and experience normal audio volumes listening to other sources of pc audio (go to another site, like www.cnn.com to test it out), then please contact Microsoft Customer Support at 866-493-2825 and they can work further with you.
Session Objectives – Security Code Webcast Overall Objective: This webcast will train you on how your business users will use multifactor authentication (MFA) to increase their login security, and how to track MFA activity in the FI Admin Platform. Specifically we will cover: • What multifactor authentication is • How business users enroll and unenroll in MFA • How enrolled users log in • New features for Company Administrators • How FI administrators use FI Admin Platform to create reports on MFA Please note that this webcast is for financial institutions offering the Security Code option for MFA!
Completing this Training We have designed this MFA Security Code training for multiple employees at your financial institution: • If you are a cash management specialist or service rep who needs to talk to your commercial clients about MFA but will NOT be using the FI Admin Platform, you’ll complete through slide 53. The trainer will remind you at that point that you can exit the webcast. • If you are an FI admin who will be using the FI Admin Platform, you’ll complete the entire webcast. • If you are the Project Lead, be sure you view the Enablement Webcast before you view this one!
Product Overview If you have already viewed the Enablement Webcast, skip to slide 15 “Using MFA on the Commercial Customer Platform”.
Why MFA? • In the fall of 2005, the Federal Financial Institutions Examination Council (FFIEC), the regulators overseeing banks and credit unions, communicated that passwords alone will no longer be acceptable as the sole means of achieving online security. Multifactor authentication (MFA) was the recommended solution. • MFA requires online users to provide something additional beyond username and password to login. This enhanced security means that even if a user has their password stolen in a phishing attack or by malicious software, the fraudster cannot access online accounts because they do not possess the additional factors needed, which are harder to steal. By offering MFA, your FI can give your consumers and businesses peace of mind when using your online products and services. So why are we doing this?? To protect your end users’ sensitive information!
Basic MFA Steps After your FI has enabled MFA: • Business Banking user logs into Business Banking. • User must retrieve Security Code from their email account, and enter it. • User can choose to enroll the computer they are currently using in MFA. • If they do – a cookie is installed on their computer, and the next time they log in, they will see nothing different. • If they do not – the next time they are logged in, they will be presented with the Security Code screen and sent a new security code.
Terms & Definitions • Single Armored authentication –The process of authenticating user credentials where the only credentials authenticated are the User ID and password. • MFA –Multifactor Authentication. The process adds an additional credential to be authenticated. • Enhanced Login Security – This is the default feature label for the MFA product. Your FI is allowed to choose a different name if desired. • Enroll a Computer – The process whereby a user chooses to define a particular computer as their additional factor for purposes of authentication. A cookie is installed on the computer. • Un-enroll a Computer –Where a user removes the computer as the additional factor. • Enrolled User –Any user who has opted in to the MFA feature. First time enrollment is accomplished when the user has successfully enrolled their first computer . • Credentials – Data elements that are needed in order to log in. This may include User ID, password, and browser cookie as well as Company Id and Company password. • Factors – Data elements that are required to log in above and beyond User ID. These factors may include password, browser cookie and email Security Code. • Temporary Access –Login where the user is enrolled in MFA and is attempting to log in from a computer that has not been recognized. • Cookie – a small piece of code installed on your computer (specifically in your browser). • Invalid Cookie – a cookie that does not match the user credentials or as cookie that has been expired or marked invalid by the MFA system.
Terms & Definitions • Security Code –A one-time passcode generated by the system in order to allow an MFA user to initiate a Business Banking session via Temporary Access. • Invalid Security Code –A security code that has: exceeded the timeout value, has been previously used successfully, or has been invalidated by the generation of a new security code. • FI – Financial institution • FI admin – an FI employee who is responsible for managing, overseeing, reporting on, etc. a particular product. There may be 1 or more FI admins per product at an FI. • Front-line staff – FI employees who communicate with commercial clients, e.g. cash management specialists or customer service reps.
Fraud Prevention: Strong Authentication Know Are Have • Passwords • PINs • Secrets, etc. • Computers • Phone / PDA • E-mail passcode • Fingerprints • Iris scans • Voice prints, etc.
Why a browser cookie-based approach? • Strong security with minimal effort by end user • Always requires a second factor of authentication (something you have) • Cookie credential or security code • Signup straightforward and fast • Non-intrusive • No change from today’s login experience when using primary computers • No change in browser settings required • Preserves “access anywhere” ability of business banking • Temporary access method
Bus Banking MFA : Using the computer as the 2nd factor • On computer of user’s choice, a unique, secure device ID will be placed in the browser of the user’s PC • Links the computer to the user for login • During subsequent logins, Digital Insight will check for both correct password & matching device ID • If user logs in from an enrolled PC, then no change from current login experience • If device ID is not present or mismatched, login is only allowed if temporary security code sent via email to user is entered • No limit on number of computers a user can enroll Business Banking Site ID Laptop PC ID User#1 ID User#2 Workroom PC
MFA Setup for Commercial Clients Your financial institution has some options in enabling MFA. These are the setup possibilities for your commercial clients that you’ll need to be aware of in supporting them: • Your FI may require MFA for all commercial clients, or for select ones only. • Your FI has selected an MFA effective date (globally or per client). • Before the MFA Effective Date is reached, your commercial client users must confirm their email address (in one of two ways – see later slides). • Once the MFA Effective Date is reached, commercial client users have from 0-15 times to respond “later” (called the “MFA Bypass Count”) before they are required to provide a Security Code and/or add extra security protection to their user validation. • Your FI can choose to allow users to update their own email addresses. Your financial institution may have chosen to enable MFA for all your commercial clients with the same effective date, or your FI may have chosen different settings for different commercial clients. Talk to your Super User or project lead to find out which way your FI has chosen to do this.
Training Scenarios We’ll go through 3 training scenarios. All scenarios assume your FI has required MFA for this commercial client: • Scenario 1: In the FI Admin Platform your Super User has set the Effective Date = 2 weeks from today, MFA Bypass Count = 1. Bryce the Business User logs in. • Scenario 2: Bailey the Business User is going on a “working vacation” for two weeks. She will be taking along her home laptop, from which she cannot access her business email account. MFA is enabled for her business, and she has already enrolled her regular work computer. • Scenario 3: Blaine the Business User was out on her honeymoon during the 1-week period your FI allowed before making MFA mandatory for her company. Her company email address changed, but her company administrator did not update it in Business Banking.
Scenario 1 - Introduction Scenario 1: In the FI Admin Platform, your Super User has set the Effective Date = 2 weeks from today, MFA Bypass Count = 1. • Bryce the Business User logs in for the first time after you have enabled the MFA for this customer with the effective date 2 weeks away. He is presented with the confirm email address screen. • Bryce confirms his email address is correct or updates it if not. • Bryce continues to log in all week and the next. • Two weeks from today, Bryce logs in again. Now MFA is effective for his business, and Bryce is presented with the MFA enrollment screen. He chooses to defer enrolling in MFA. • Bryce logs in again the next day, from his main work computer. Now he must provide the Security Code sent to him via email and add the extra security protection (if he desires). • WHY? Digital Insight recommends that you make the effective date NOT the first date that MFA is rolled out to your FI. This gives your business users time to confirm or update their email address.
Scenario 1 – Actions 1 & 2 • Bryce the Business User logs in for the first time the day after MFA has been enabled for his business. He is presented with the confirm email address screen. 2. If the address is correct, Bryce clicks on Yes. He will not be presented again with this screen upon future logins.
Scenario 1 – Action 2 If the address is incorrect, Bryce clicks on No, and the screen refreshes to allow him to change his address (if your FI has checked the box to allow users to change their own email address). He will not be presented again with this screen upon future logins after he updates his address. • Notes: • An email notification is sent to the Company Administrator when a user changes their email address. • If the user clicks on Cancel, they are taken to their Business Banking session. They will be presented with the Change Email Address screen again when they log in the next time.
Scenario 1 – Action 2 Note: The user will not be presented with this Change Email Address screen again when logging in. However, they can change their address at any time by going to Administration Login Credentials Change Email Address once they have successfully logged into Business Banking. (If your FI has checked the box to allow users to change their own email address.) If the address is incorrect, the user enters it in both boxes, then clicks on Update and gets a confirmation screen.
Scenario 1 – Action 2 OR – if you have not checked the box allowing users to update their own email address, Bryce will see a similar screen with different instructions: Note: If it is the Company Administrator seeing this screen, they will be told to contact their FI administrator. If his address is correct, Bryce clicks on Yes. If it’s incorrect, he clicks on No and then must contact his company administrator to update the address. Bryce will continue to be presented with this screen until he clicks on Yes.
Scenario 1 – Action 3 • 3. Bryce continues to log in all week and the next. Because the MFA Effective Date hasn’t occurred yet, and because Bryce has already updated and/or confirmed his email address, he will not notice anything different for the rest of the time period.
Scenario 1 – Action 4 4a. Two weeks later, Bryce logs in again. Now MFA is effective for his business, and Bryce is presented with the MFA enrollment screen. He chooses to defer enrolling in MFA by clicking on Enroll Me Later. Remember that your FI has set the Bypass Count to 1, so he can defer one time.
Scenario 1 – Action 4 4b. After clicking on Enroll Me Later, Bryce sees a screen reminding him about MFA and letting him know he must update his email address if incorrect. Remember that your FI has set the Bypass Count to 1, which he has now used up, so this screen tells him he has zero logins remaining.
Scenario 1 – Action 5 5. Bryce logs in again later in the day, from his main work computer. Now he must provide the Security Code sent to him via email and add the extra security protection (if he wants), because he has used up his one allowed Bypass Count login.
Scenario 1: Enrolling a Computer 1. Following the on-screen instructions, Bryce checks his email account for the security code. Note the link to open a new browser window if he accesses email via a Web mail platform. 2. Bryce enters the security code. This is a code of random letters and numbers that is best copied and pasted into this field. 3. Since Bryce is on the computer he regularly uses to access Business Banking, he checks the “Add extra security protection to this computer”, then clicks on Continue. Notes: The user should only enroll a computer if it is a non-public computer that the user will use regularly to access the Commercial Customer Platform. The system sends a notification e-mail (identifying the user but not including the security code) to the Company Administrator.
Scenario 1: Enrolling a Computer 4. The computer and browser being used are enrolled in MFA by installing a cookie on the user’s hard drive. If he has Macromedia Flash Player installed, an image is also made of that cookie. A confirmation screen appears. 5. Bryce is taken to Business Banking and continues his session. Notes: Once a user enrolls their first computer, the user is now enrolled in the MFA feature. Once a computer/browser is enrolled, the user will see nothing different at future logins to Business Banking from that computer using that browser. If Bryce the Business User tries to access his Business Banking account from any other computer/browser, he will be presented with the same Enhanced Login Security screen requesting a Security Code.
Security Code Information A Business Banking user will be presented with the screen requesting they enter the Security Code in the following situations: • When they attempt to log into Business Banking from an unenrolled computer/browser • If they have cleared their cookies on a previously-enrolled computer. BUT - If a user has Macromedia Flash Player (MMP) installed (most computers do), then an image will be made of that cookie. The result is that if cookies are deleted on that computer, the computer will NOT be unenrolled in MFA. • If the Company Administrator has reset them (see later in the training) • If the Company Administrator has unenrolled all computers for that user (see later in the training) New information since the webcast was recorded! Note other references to MMP in this webcast.
Security Code Steps - Summary You attempt to log into Business Banking from an unenrolled computer/browser. System checks to see if you have a valid Security Code in the system. (See Security Code Timeout rules on page 35to learn why a user might already have a valid Security Code in the system – typically they do not.) 3. If no, the system sends you a security code, and displays the screen telling you to check your email account.** After obtaining the security code, return to this screen, enter the security code, and click Continue. You are taken to your Business Banking session. **By setting the MFA Effective Date later than the date your FI enables MFA, you are giving users time to ensure their email address is accurate.
Security Code – Other Scenarios If the user entered an expired Security Code: The screen refreshes to display the message in red. The user should request that a new code be issued.
Security Code – Other Scenarios If the user has a valid security code but could not retrieve it before it expired: On this Security Cole screen, they click on Request a New Security Code. The system invalidates the previous code (if it hadn’t actually expired) and sends a new one. The screen refreshes to display the message in red, then the user continues as described previously.
Security Code – Other Scenarios If the user enters the wrong Security Code: An error message displays. This is counted as a bad login attempt for the user (in other words, they can get locked out due to excessive tries). The Activity Report “bad login” log will clarify what caused the bad login (either if the user entered incorrect credentials or if it was an incorrect security code). Assuming the user is not locked out, they can try again. Note that the previous entry remains displayed so the user can see if they entered it incorrectly.
Security Code Sample Security Code Email
Security Code Passcode Requirements: • The passcode is comprised of a series of numbers (default is 6). • The passcode is not case sensitive and may display on the screen in either case. Passcode Timeouts: • The passcode has a 30 minute timeout value from the time that it is generated. If the passcode has not been used within this time period, then the passcode automatically becomes invalid. • Only one passcode is valid at any given time. • If a user requests a new passcode, than all previously issued passcodes become invalid. • Once a user successfully enters a passcode and is able to login, that passcode becomes invalid. • If a user requests a passcode and does not use it (perhaps because they are unable to access their email account) then that passcode will remain good for the duration of the timeout period. If the user attempts to log in again and they require the use of a passcode, and their previous passcode is still valid, the system will not automatically send them another when they reach the Passcode screen. Only if the end user requests a new passcode or if the passcode times out will a new passcode be automatically sent. • Other Information: • A business user can set up 5 email addresses for the security access code to be sent to. The user will select upon challenge which email address they wish to use to receive the passcode. The first and last bullets are new information since the webcast was recorded.
Scenario 2 - Introduction Scenario 2: Bailey the Business User is going on a “working vacation” for two weeks. She will be taking along her home laptop, from which she cannot access her business email account. MFA is enabled for her business, and she has already enrolled her regular work computer. • Bailey changes her email address in Business Banking to one she can access via a web mail account. OR If your FI will not allow users to change their own address, her Company Administrator does it for her. • Bailey logs in for the first time from her laptop and is presented with the Security Code screen. She retrieves the code and enrolls this computer at the same time. • Bailey continues to log in for the next two weeks. • When she returns home, she is not planning to use that laptop again for work, so she unenrolls that computer.
Scenario 2 – Action 1 • Bailey changes her email address in Business Banking to one she can access via a web mail account. OR If your FI will not allow users to change their own address, her Company Administrator does it for her. If Bailey is allowed to do it herself, she goes to Administration Login Credentials Change Email Address. If Bailey is not allowed to do it herself, her company administrator goes to Administration User Maintenance and changes it for her.
Scenario 2 – Action 2 2. Bailey logs in for the first time from her laptop and is presented with the Security Code screen. She retrieves the code. Before she clicks on Continue, she checks the “add extra security protection to this computer” box, since she will be using this computer for the next two weeks and it’s not a public computer. This works the same way as when she enrolled her work computer (see Scenario 1).
Scenario 2 – Action 3 3. Bailey continues to log in for the next two weeks. Because she has enrolled this computer, she is taken straight to her Business Banking session after she enters the required login information.
Scenario 2 – Action 4 4. Back home, Bailey is not planning to use that laptop again for work, so she unenrolls that computer by going to Administration Login Credentials Unenroll Computers. The system removes the cookie from her browser. Notes: Bailey is still enrolled in MFA! So if she logs in again from this or any unenrolled computer, she will not be allowed into her Business Banking session until they provide the security code. A user should only select this option if they are not going to be using this computer for Business Banking again. This ‘Unenroll Computers’ feature will only display if the financial institution has enabled MFA for the company and the ‘MFA Effective Date’ defined has expired.
Unenroll from the System Users select the second option to unenroll all computers from MFA. The system removes/invalidates the cookie from the user’s browser on this computer, and invalidates the cookies on any other registered computers. Note: As long as MFA is enabled for this client, a user who unenrolls all computers will be challenged each time they log into Business Banking.
Scenario 3 Scenario 3: Blaine the Business User was out on her honeymoon during the 1-week your FI allowed before making MFA mandatory for her company. Her company email address changed, but her company administrator did not update it in Business Banking. • Blaine returns to work and attempts to log into Business Banking. • MFA is now mandatory, so Blaine is not presented with the “Confirm Email” screen. Instead, she is presented with the Security Code screen. However, when she checks her (new) email, the security code is not in her inbox. • Blaine is stuck – she cannot get into her Business Banking account because her email address as stored in Business Banking is incorrect. She must contact her company administrator and have him change her email address. Blaine can then return to the Security Code screen, click on Request a New Passcode, and try again. • WHY? It’s critical that you educate your Company Administrators about the importance of email addresses. They must make sure that everyone’s address is correct.
Front-Line Staff Pointers for Security Codes • Security code requests may generate a large number of calls to your FI. • Some things for you to keep in mind: • It’s common to suggest to users having Business Banking issues that they clear their cache and cookies. BUT – you need to understand that for a user who is enrolled in MFA, doing so will unenroll that computer unless they have the Multimedia Flash Player installed. You should warn them that they will be presented with the Temporary Access screen to enter in a Security Code and/or add the extra security protection once they have cleared their cookies in an attempt to solved the other issue. • You can no longer ask an enrolled user for their username and password in order for you to recreate the issue because now you will get challenged. Under no circumstances should you ask the user for their security code so that you can access their site. • Solution: If you want to recreate the issue, you can disable the MFA feature for this commercial client in the FI Admin Platform (if the user agrees), as this will remove the additional security validation to allow you to log in and troubleshoot. You can then re-enable the feature. Note: The business users will not be MFA Challenged as long as the user’s cookie is still valid. Digital Insight University has created Quick Tip sheets for you. Talk to your manager or MFA project lead to obtain these.
Bad Login Counter More details about theBad Login Counter: • A ‘Bad Login’ occurs whenever an invalid credential is presented during the Business Banking login process. When the Bad Login count threshold of 5 is reached, the user is locked out of the system. A company administrator or FI Admin administrator must unlock or reset the user’s account before they can access the system again. • If one of the following invalid login events occurs, the bad login count will increment by one for each instance: • Incorrect company password • Incorrect user password • Security Code expired • Security Code incorrect • Computer is not recognized - No cookie or invalid cookie installed The business user’s Bad Login count is reset to zero when they successfully log into the Business Banking application.
Company Administrator Features Two features related to MFA are available to the company administrator on the User Maintenance screen: (Note: The options are not visible until the Effective Date has been reached.)
Company Administrator Features • Reset Login Credentials: This feature allows the Company Administrator the ability to reset and invalidate the selected user’s password and computer/cookies (including the Multimedia Flash Player cookie image). The Company Administrator must enter in a ‘Password’ and ‘Confirm’ prior to clicking the reset login credentials button. • If the company administrator resets the user’s login credentials, the user will be required to change their password, and will be presented with the option to add extra security protection to their computer. • Unenroll Computers:. This feature allows the Company Administrator to delete/invalid a sub user’s cookies/computer (including the Multimedia Flash Player cookie image). Notes: The change password feature will function independently of the Reset Login Credentials and Unenroll Computers features. **In other words, using Administration > Login Credentials > Change User Password will not reset a user’s cookies.** These features really work by invalidating the cookies in the DI cookie-based authentication system; it doesn’t literally go out and remove the cookies from remote computers, although it does invalidate the cookie in the current browser. These same features are available in the FI Admin Platform – in that case, the effect is for the Company Administrator.