In February 2022 CU*Answers technical teams met to brainstorm on high-level goals and priorities for new authentication and validation strategies. Here are some ideas from that meeting.
Multi-factor Priorities for Online Banking
- MFA for making changes to email addresses and personal information (see more on this below)
- MFA for using P2P (either enrollment and/or for initiating a transfer, still TBD)
- MFA for password resets
- MFA for logging in to desktop/mobile banking
Our plan is to make all of these configurable at the credit union level only. Because of their ability to mitigate fraud for the credit union, at this time we don’t plan to allow for a member opt in/out mechanism for these features. In other words, if you turn them on, every member must use them.
Multi-factor Authentication vs. PIB Multi-layer Security
When we use the term “MFA” we are generally referring to the mechanism we introduced for first-time user activation in the 19.10 release, where a one-time activation code is sent via text or email to a number/address already on file. In most cases this is the method we will use to incorporate MFA into other functions.
Remember also that our PIB tool already allows members to activate/deactivate or add a confirmation code for high-risk transactions, such as making transfers and accessing bill pay. We do plan to update the PIB wizard and add more functions down the road, as well.
In general, the idea would be to keep using PIB as the mechanism for individual online banking features, and use the MFA technique of sending a code via text/mail for logins and certain high-risk features that credit unions want to be able to mandate for all members.
Thinking About MFA for Logging In
Two very common questions we get from CUs are, “When are we going to get 2-factor for logging in?” and “My members are saying we broke their Robinhood (or Plaid, or Yodlee, or Mint…) account!” As we develop our MFA engine for use at login, here are some things to keep in mind if you’re thinking about requiring members to use this every time they log in:
- Adding MFA will interfere with a member’s relationship with aggregators and other 3rd party FI apps.
- Instead of fielding member calls about password resets, you’ll be fielding calls about “how come I didn’t get my code?”
- Since the phone number or email address used for MFA verification must already be on file, make sure to consider your personal info update strategy (how do members initiate changes to their text-capable phone number or email address?) as a component of your login strategy.
- Your credit union’s expense for one-way text messages could increase substantially, given that the majority of your day-to-day logins would require a text message to send the code.
Projects Already In the Works
Multi-factor Authentication for Email/Personal Info Changes
With the new look for It’s Me 247, the only place members can change their email address is via the personal info update feature. For CUs who use the “reviewed” option to review incoming personal info change requests, this means members who need to change their email address might not be able to finish enrolling in services such as bill pay or eStatements until you review and confirm the change in CU*BASE.
The next project we’ll be slating is to incorporate the MFA functionality into the personal info update process. This will be an optional feature credit unions can activate, and if a member doesn’t already have an email address or text-capable phone number on file would still need to contact the CU directly.
Status as of February 2022: With the 21.12 release we implemented underlying architecture so we can plug in the two-factor feature (text/email confirmation code) where needed. Design specs are now being written to apply this authentication to the personal information update feature in It’s Me 247.
MACO for MOP: Digital Identity Proofing
As introduced during the 2021 CEO Strategies briefing, we are currently working on a project to add Daon’s digital identity proofing functionality to our membership opening process (MOP). In a nutshell, Daon’s IdentityX Onboarding feature uses facial recognition to compare a photo ID image to a selfie taken by the new member.
As a bonus, our integration will also record the photo ID image in CU*Spy, as well as secure a 1-year MACO license for that member to use for mobile app authentication.
Status as of January 2022: Project #55913 is currently in development.