Authentication Enhancements for Online/Mobile Banking

This recipe outlines our high-level goals and priorities for new authentication and validation strategies for our online/mobile banking tools.

View the slides from our 2023 Leadership Conference!

See the separate recipe about account aggregation features for online banking!

Multi-factor Priorities for Online Banking

  • MFA for making changes to email addresses and personal information – activate this now via Tool #569!
  • MFA for using P2P (enrollment and transfers) – activate this now via Tool #569!
  • MFA for logging in to desktop/mobile banking
  • MFA for password resets

(See more on all these projects below.)

Our plan is to make all of these configurable at the credit union level only. Because of their ability to mitigate fraud for the credit union, at this time we don’t plan to allow for a member opt in/out mechanism for these features.  In other words, if you turn them on, every member must use them.

Multi-factor Authentication vs. PIB Multi-layer Security

When we use the term “MFA” we are generally referring to the mechanism we introduced for first-time user activation in the 19.10 release, where a one-time activation code is sent via text or email to a number/address already on file. In most cases this is the method we will use to incorporate MFA into other functions.

Remember also that our PIB tool already allows members to activate/deactivate or add a confirmation code for high-risk transactions, such as making transfers and accessing bill pay.  We do plan to update the PIB wizard and add more functions down the road, as well.

In general, the idea would be to keep using PIB as the mechanism for individual online banking features, and use the MFA technique of sending a code via text/mail for logins and certain high-risk features that credit unions want to be able to mandate for all members.

Projects Currently In the Works

MFA for Logging In

Two very common questions we get from CUs are, “When are we going to get 2-factor for logging in?” and “My members are saying we broke their Robinhood (or Plaid, or Yodlee, or Mint…) account!” As we develop our MFA engine for use at login, here are some things to keep in mind if you’re thinking about requiring members to use this every time they log in:

  • Adding MFA will interfere with a member’s relationship with aggregators and other 3rd party FI apps.
  • Instead of fielding member calls about password resets, you’ll be fielding calls about “how come I didn’t get my code?”
  • Since the phone number or email address used for MFA verification must already be on file, what’s the state of your member phone number and email address database? Will members even be able to log in when you activate MFA?  Make sure to consider your personal info update strategy (how do members initiate changes to their text-capable phone number or email address?) as a component of your login strategy.
  • Your credit union’s expense for one-way text messages could increase substantially, given that the majority of your day-to-day logins would require a text message to send the code. (Our plan is to allow CUs to activate MFA via email only, if you wish.)

NOTE: Remember that unlike BizLink 247, which has a structure for multiple login IDs per business membership, It’s Me 247 does not allow for multiple login IDs for joint owners.  Therefore, if you choose to activate MFA for logins, the primary membership will need to have on it all of the phone numbers that might potentially need to receive the verification code, or an email address to which all joint owners have access.

Status as of October 2024: Project #61004 will be implemented in the  24.10 release. This project will include a “remember my device” component with an expiration period you can specify, as a convenience to members who always use the same device(s) – at least until they clear cookies, get a new device,  or your defined expiration period ends.  

As explained in the separate recipe, in December we will be introducing member authentication via MemberPass® for CU*BASE Phone Operator and Teller.  We will also be adding MemberPass as an option to this MFA project for logging in to It’s Me 247 online banking. This project will commence after the project explained above based on additional coding that will need to be completed for MemberPass by their developers.

MFA for Password Resets

This project adds optional two factor authentication for password resets in both CU*BASE (initiated by the credit union) and online banking (initiated by the member).  The password reset method will be configurable and if two factor authentication is activated, the member will be prompted to enter a confirmation code sent via text or email.

This project will also revamp the ARU/Online Banking Password Reset feature (Tool #72 Update ARU/Online Banking Access or Tool #14 Member Personal Banker).  Online banking password resets and ARU PIN resets will now be handled via separate tools and the process will be more intuitive and easier for a credit union to navigate.

Status as of October 2024: Project #60203 development had begun but is being put on hold in favor of the project for adding MFA for logging in. We will resume development on this project once that is implemented.

 

 

Your chefs for this recipe: Dawn Moore and Brian Maurer

Updated
October 3, 2024

8 Responses to “Authentication Enhancements for Online/Mobile Banking”

  1. Triston K

    Hi Team,

    Are there any new updates that you can share? We’re finishing up an OCU exam and we’ve a few related findings, including:

    1. The online banking authentication process consists of username, password, and challenge questions. This method is considered a layered security approach and should be strengthened to include a multi-factor authentication (MFA) process…
    2. The phone banking system which allows members to perform transactions should also have MFA enabled…
    3. The platform allows concurrent logins/sessions…

    Cheers!

    Reply
    • Dawn Moore

      Thanks for the question, Triston! I just updated the recipe to give a few additional status details on the two projects we have in the queue: MFA for personal info updates and for P2P functions. Adding MFA at member login is still in the studying phase as we work through things such as the additional costs to CUs for text messaging as well as the impact on third-party aggregators like Plaid and Mint.

      As far as phone banking, this is the first we’ve heard about MFA for this system. Given that the audience for audio banking tends to be older members using landlines, I’m not sure how realistic it is to require an internet-based functionality in order to use it. We appreciate your bringing it to our attention, though. There’s nothing on our radar for that now, although we will be publishing some tips about security options that are already available to CUs for locking down phone banking a bit further. This tends to be a set-it-and-forget-it type service, but it does warrant a credit union’s attention just like any other member access point.

      Not sure how to respond to the final one. Would need clarification as to what is meant by that enigmatic statement.

      Reply
      • Triston Kirt

        Hi Dawn,

        ‘The platform allows concurrent logins/sessions…’
        Allowing active online banking sessions increases the risks to the credit union, and as mentioned, is an OCU exam finding.
        1. Disallowing concurrent logins can reduce the risk of a session hijacking attack. If an attacker is able to steal a session token, if you disallow concurrent logins it would be invalidated when the legit user logged back in.
        2. If a user leaves themselves logged in on a shared PC, invalidating that session the next time they login reduces the risk of another user of that PC gaining access to their session. If someone loses their phone with an active session.
        3. The log-in history, may or may not accurately or completely identify the two sessions as being separate, so that security ‘feature’ in the member facing OLB may not be quite as helpful to identify unauthorized activity.

        Thanks for fielding these.
        -Triston

        Reply
  2. Triston Kirt

    Hi Dawn,
    Will these controls be available for ItsMe247 and the BizzLink applications?

    -tsk

    Reply
  3. Don Prue, PowerNet Credit Union

    In reviewing your information on MFA for Desktop/Mobile Banking logging in, I notice no mention of giving the user or member the option to use or not use MFA in their login process. That would allow members who utilize aggregators the ability to disable MFA and others to use it to increase their security on the internet. Are you considering allowing the user/member to enable or disable MFA?

    Reply
    • Dawn Moore

      No. This was designed as a global setting that affects all members. That’s not only based on the the significant additional complexity required to let individual members opt out, but also based on feedback from many CUs as to what examiners and security consultants are pushing for.

      We’re aware that MFA will mean that screen-scrape aggregators will no longer be able to use a member’s credentials to access their accounts. That’s one of the reasons we set up the integration with Plaid. Using that allows the member to connect to thousands of applications via Plaid regardless of MFA, since it connects via a different secure path. We are in talks with Mastercard/Finicity for something similar, and are willing to work with other aggregators who want to make a similar arrangement.

      Reply

Leave a Comment

* denotes required fields
  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>