Authentication Enhancements for Online/Mobile Banking

This recipe outlines our high-level goals and priorities for new authentication and validation strategies for our online/mobile banking tools.

Multi-factor Priorities for Online Banking

  • MFA for making changes to email addresses and personal information (see more on this below)
  • MFA for using P2P (enrollment and transfers)
  • MFA for password resets
  • MFA for logging in to desktop/mobile banking

Our plan is to make all of these configurable at the credit union level only. Because of their ability to mitigate fraud for the credit union, at this time we don’t plan to allow for a member opt in/out mechanism for these features.  In other words, if you turn them on, every member must use them.

Multi-factor Authentication vs. PIB Multi-layer Security

When we use the term “MFA” we are generally referring to the mechanism we introduced for first-time user activation in the 19.10 release, where a one-time activation code is sent via text or email to a number/address already on file. In most cases this is the method we will use to incorporate MFA into other functions.

Remember also that our PIB tool already allows members to activate/deactivate or add a confirmation code for high-risk transactions, such as making transfers and accessing bill pay.  We do plan to update the PIB wizard and add more functions down the road, as well.

In general, the idea would be to keep using PIB as the mechanism for individual online banking features, and use the MFA technique of sending a code via text/mail for logins and certain high-risk features that credit unions want to be able to mandate for all members.

Thinking About MFA for Logging In

Two very common questions we get from CUs are, “When are we going to get 2-factor for logging in?” and “My members are saying we broke their Robinhood (or Plaid, or Yodlee, or Mint…) account!” As we develop our MFA engine for use at login, here are some things to keep in mind if you’re thinking about requiring members to use this every time they log in:

  • Adding MFA will interfere with a member’s relationship with aggregators and other 3rd party FI apps.
  • Instead of fielding member calls about password resets, you’ll be fielding calls about “how come I didn’t get my code?”
  • Since the phone number or email address used for MFA verification must already be on file, make sure to consider your personal info update strategy (how do members initiate changes to their text-capable phone number or email address?) as a component of your login strategy.
  • Your credit union’s expense for one-way text messages could increase substantially, given that the majority of your day-to-day logins would require a text message to send the code.

Status as of October 2022: Still in the studying/design phase.

Projects Already In the Works

Multi-factor Authentication for Email/Personal Info Changes

With the new look for It’s Me 247, the only place members can change their email address is via the personal info update feature. For CUs who use the “reviewed” option to review incoming personal info change requests, this means members who need to change their email address might not be able to finish enrolling in services such as bill pay or eStatements until you review and confirm the change in CU*BASE.

The next project we’ll be slating is to incorporate the MFA functionality into the personal info update process. This will be an optional feature credit unions can activate, and if a member doesn’t already have an email address or text-capable phone number on file would still need to contact the CU directly.

Status as of October 2022: Project #58745, which applies this authentication to the personal information update feature in It’s Me 247, is currently waiting for availability of QC testing resources, and is targeted for release in the spring of 2023.

MFA for P2P

Similar to the project for email/personal info changes, this project allows the CU to require a member to use MFA when enrolling for P2P as well as when initiating P2P transfers. If activated, when the “Enroll for Pay Anyone” button or the “Send New Payment” button is used in It’s Me 247, the member will be asked to select a contact method and then prompted to enter a confirmation code sent via text or email. The credit union can choose to activate one or both options.

Status as of October 2022: Specs for project #59276 have been submitted and is waiting for programming resource. 

MACO for MOP: Digital Identity Proofing

MACO for MOP illustrationAs introduced during the 2021 CEO Strategies briefing, we are currently working on a project to add Daon’s digital identity proofing  functionality to our membership opening process (MOP). In a nutshell, Daon’s IdentityX Onboarding feature uses facial recognition to compare a photo ID image to a selfie taken by the new member.

As a bonus, our integration will also record the photo ID image in CU*Spy, as well as secure a 1-year MACO license for that member to use for mobile app authentication.

Status as of October 2022: Project #55913 is currently in credit union beta testing. Contact the IRSC if you’re interested in participating!

 

Your chefs for this recipe: Dawn Moore and Brian Maurer

Updated
October 20, 2022

8 Responses to “Authentication Enhancements for Online/Mobile Banking”

    • Dawn Moore

      If you are referring to MFA for logging in, we’re currently still in the research phase, looking at adding Multi-Factor Authentication (MFA) as an offering for our suite of online/mobile banking products. Our development and security teams are researching with consultants, vendors and insurers to outline the requirements for implementation. That said, there is no hard date yet for release to clients. We expect the research part of the project to conclude sometime during our fiscal year 2022. Our primary consideration in researching this project is to implement a solution that is compliant with emerging standards that will allow credit unions to pass their examinations and audits. Updates will be posted on this Kitchen page as they become available. Geoff will also be talking about this at this June’s Leadership Conference, so I hope you’ll join us then!

      Reply
  1. Triston K

    Hi Team,

    Are there any new updates that you can share? We’re finishing up an OCU exam and we’ve a few related findings, including:

    1. The online banking authentication process consists of username, password, and challenge questions. This method is considered a layered security approach and should be strengthened to include a multi-factor authentication (MFA) process…
    2. The phone banking system which allows members to perform transactions should also have MFA enabled…
    3. The platform allows concurrent logins/sessions…

    Cheers!

    Reply
    • Dawn Moore

      Thanks for the question, Triston! I just updated the recipe to give a few additional status details on the two projects we have in the queue: MFA for personal info updates and for P2P functions. Adding MFA at member login is still in the studying phase as we work through things such as the additional costs to CUs for text messaging as well as the impact on third-party aggregators like Plaid and Mint.

      As far as phone banking, this is the first we’ve heard about MFA for this system. Given that the audience for audio banking tends to be older members using landlines, I’m not sure how realistic it is to require an internet-based functionality in order to use it. We appreciate your bringing it to our attention, though. There’s nothing on our radar for that now, although we will be publishing some tips about security options that are already available to CUs for locking down phone banking a bit further. This tends to be a set-it-and-forget-it type service, but it does warrant a credit union’s attention just like any other member access point.

      Not sure how to respond to the final one. Would need clarification as to what is meant by that enigmatic statement.

      Reply
      • Triston Kirt

        Hi Dawn,

        ‘The platform allows concurrent logins/sessions…’
        Allowing active online banking sessions increases the risks to the credit union, and as mentioned, is an OCU exam finding.
        1. Disallowing concurrent logins can reduce the risk of a session hijacking attack. If an attacker is able to steal a session token, if you disallow concurrent logins it would be invalidated when the legit user logged back in.
        2. If a user leaves themselves logged in on a shared PC, invalidating that session the next time they login reduces the risk of another user of that PC gaining access to their session. If someone loses their phone with an active session.
        3. The log-in history, may or may not accurately or completely identify the two sessions as being separate, so that security ‘feature’ in the member facing OLB may not be quite as helpful to identify unauthorized activity.

        Thanks for fielding these.
        -Triston

        Reply
  2. Triston Kirt

    Hi Dawn,
    Will these controls be available for ItsMe247 and the BizzLink applications?

    -tsk

    Reply

Leave a Comment

* denotes required fields
  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Check Out the New Recipes We’re Cooking in the Kitchen!

Check Out the New Recipes We’re Cooking in the Kitchen!

Have you visited the Kitchen lately?  If not, take a look at our newest projects: Card Activity Optics Credit Card Statement Enhancements Introducing Biz Watch for ACH: ACH Controls for Business Memberships Max Earnings Sweeps for Business Members Positive Pay Cashier Services (for Inhouse Checks) RDC Enrollment via CU*BASE Summary Statements for Business Credit Cards… Read more »

Sep 29, 2020

Check Out the New Recipes We’re Cooking in the Kitchen!

Check Out the New Recipes We’re Cooking in the Kitchen!

Have you visited the Kitchen lately?  If not, take a look at our newest projects: Accounts Payable Enhancements Creating an Engine for Predictive Retailing (aka “Nostradamus”) Deposit Hold Enhancements Escrow Analysis Enhancements Expanding Screen Sizes for CU*BASE GOLD Mobile First Transaction Limits for Express Tellers Each of these recipes includes a place to provide comments,… Read more »

Jul 14, 2020