This recipe outlines our high-level goals and priorities for new authentication and validation strategies for our online/mobile banking tools.
Multi-factor Priorities for Online Banking
- MFA for making changes to email addresses and personal information (see more on this below)
- MFA for using P2P (enrollment and transfers)
- MFA for password resets
- MFA for logging in to desktop/mobile banking
Our plan is to make all of these configurable at the credit union level only. Because of their ability to mitigate fraud for the credit union, at this time we don’t plan to allow for a member opt in/out mechanism for these features. In other words, if you turn them on, every member must use them.
Multi-factor Authentication vs. PIB Multi-layer Security
When we use the term “MFA” we are generally referring to the mechanism we introduced for first-time user activation in the 19.10 release, where a one-time activation code is sent via text or email to a number/address already on file. In most cases this is the method we will use to incorporate MFA into other functions.
Remember also that our PIB tool already allows members to activate/deactivate or add a confirmation code for high-risk transactions, such as making transfers and accessing bill pay. We do plan to update the PIB wizard and add more functions down the road, as well.
In general, the idea would be to keep using PIB as the mechanism for individual online banking features, and use the MFA technique of sending a code via text/mail for logins and certain high-risk features that credit unions want to be able to mandate for all members.
Thinking About MFA for Logging In
Two very common questions we get from CUs are, “When are we going to get 2-factor for logging in?” and “My members are saying we broke their Robinhood (or Plaid, or Yodlee, or Mint…) account!” As we develop our MFA engine for use at login, here are some things to keep in mind if you’re thinking about requiring members to use this every time they log in:
- Adding MFA will interfere with a member’s relationship with aggregators and other 3rd party FI apps.
- Instead of fielding member calls about password resets, you’ll be fielding calls about “how come I didn’t get my code?”
- Since the phone number or email address used for MFA verification must already be on file, what’s the state of your member phone number and email address database? Will members even be able to log in when you activate MFA? Make sure to consider your personal info update strategy (how do members initiate changes to their text-capable phone number or email address?) as a component of your login strategy.
- Your credit union’s expense for one-way text messages could increase substantially, given that the majority of your day-to-day logins would require a text message to send the code. (Our plan is to allow CUs to activate MFA via email only, if you wish.)
Status as of March 2023: Specs are in process. One recent change is adding in a “remember my device” component with an expiration period you can specify, as a convenience to members who always use the same device(s) – at least until they clear cookies, get a new device, or your defined expiration period ends.
Projects Already In the Works
Multi-factor Authentication for Email/Personal Info Changes
With the new look for It’s Me 247, the only place members can change their email address is via the personal info update feature. For CUs who use the “reviewed” option to review incoming personal info change requests, this means members who need to change their email address might not be able to finish enrolling in services such as bill pay or eStatements until you review and confirm the change in CU*BASE.
The next project we’ll be slating is to incorporate the MFA functionality into the personal info update process. This will be an optional feature credit unions can activate, and if a member doesn’t already have an email address or text-capable phone number on file would still need to contact the CU directly.
Status as of March 2023: Project #58745, which applies this authentication to the personal information update feature in It’s Me 247, will be implemented in the 23.05 release.
MFA for P2P
Similar to the project for email/personal info changes, this project allows the CU to require a member to use MFA when enrolling for P2P as well as when initiating P2P transfers. If activated, when the “Enroll for Pay Anyone” button or the “Send New Payment” button is used in It’s Me 247, the member will be asked to select a contact method and then prompted to enter a confirmation code sent via text or email. The credit union can choose to activate one or both options.
Status as of March 2023: Project #59276 is in development.
MFA for Password Resets
This project adds optional two factor authentication for password resets in both CU*BASE (initiated by the credit union) and online banking (initiated by the member). The password reset method will be configurable and if two factor authentication is activated, the member will be prompted to enter a confirmation code sent via text or email.
This project will also revamp the ARU/Online Banking Password Reset feature (Tool #72 Update ARU/Online Banking Access or Tool #14 Member Personal Banker). Online banking password resets and ARU PIN resets will now be handled via separate tools and the process will be more intuitive and easier for a credit union to navigate.
Status as of March 2023: Project #60203 is waiting for available programming resources.
MACO for MOP: Digital Identity Proofing
As introduced during the 2021 CEO Strategies briefing, we are currently working on a project to add Daon’s digital identity proofing functionality to our membership opening process (MOP). In a nutshell, Daon’s IdentityX Onboarding feature uses facial recognition to compare a photo ID image to a selfie taken by the new member.
As a bonus, our integration will also record the photo ID image in CU*Spy, as well as secure a 1-year MACO license for that member to use for mobile app authentication.
Status as of February 2023: Project #55913 is currently in credit union beta testing. Contact the IRSC if you’re interested in participating!
Your chefs for this recipe: Dawn Moore and Brian Maurer
Are there any new updates that you can share? We’re finishing up an OCU exam and we’ve a few related findings, including:
1. The online banking authentication process consists of username, password, and challenge questions. This method is considered a layered security approach and should be strengthened to include a multi-factor authentication (MFA) process…
2. The phone banking system which allows members to perform transactions should also have MFA enabled…
3. The platform allows concurrent logins/sessions…
Thanks for the question, Triston! I just updated the recipe to give a few additional status details on the two projects we have in the queue: MFA for personal info updates and for P2P functions. Adding MFA at member login is still in the studying phase as we work through things such as the additional costs to CUs for text messaging as well as the impact on third-party aggregators like Plaid and Mint.
As far as phone banking, this is the first we’ve heard about MFA for this system. Given that the audience for audio banking tends to be older members using landlines, I’m not sure how realistic it is to require an internet-based functionality in order to use it. We appreciate your bringing it to our attention, though. There’s nothing on our radar for that now, although we will be publishing some tips about security options that are already available to CUs for locking down phone banking a bit further. This tends to be a set-it-and-forget-it type service, but it does warrant a credit union’s attention just like any other member access point.
Not sure how to respond to the final one. Would need clarification as to what is meant by that enigmatic statement.
‘The platform allows concurrent logins/sessions…’
Allowing active online banking sessions increases the risks to the credit union, and as mentioned, is an OCU exam finding.
1. Disallowing concurrent logins can reduce the risk of a session hijacking attack. If an attacker is able to steal a session token, if you disallow concurrent logins it would be invalidated when the legit user logged back in.
2. If a user leaves themselves logged in on a shared PC, invalidating that session the next time they login reduces the risk of another user of that PC gaining access to their session. If someone loses their phone with an active session.
3. The log-in history, may or may not accurately or completely identify the two sessions as being separate, so that security ‘feature’ in the member facing OLB may not be quite as helpful to identify unauthorized activity.
Thanks for fielding these.
Thanks for the input, Triston! Because other CUs might get a similar question, we’ve compiled some suggested responses in this AnswerBook item.
Will these controls be available for ItsMe247 and the BizzLink applications?
Yep, that’s the plan!