In release 18.03, scheduled for implementation on March 11, 2018, CU*Answers has changes in store for It’s Me 247 Online Banking that will likely impact both your website design, as well as your member user experience. The changes in this project are two-fold, and are explained below; the first change is related to the standardization of the widget that some credit unions use on their website to log in to Online Banking, and the second is related to the length of passwords used when logging in. These updates will require you to take action before March 11 in order to ensure an uninterrupted user experience.
Read the following information regarding both changes, and what your credit union will need to do to take full advantage of the upgrades.
- Curious about other security changes in the pipeline? Read about Online Security Projects in the Kitchen.
- Interested in the other changes included in the 18.03 release? Read the Current Release Schedule for a sneak peek.
Direct Login Widget Updates
With the login method we’re moving to as the standard method, we’re creating a modernized and seamless user experience, and doing away with outdated widgets. Additionally, this renovation creates added security against would-be identity thieves by making it even more difficult to access member accounts using software that targets member usernames.
If CU*Answers manages your website, we’ve laid out simple steps to follow, and may have already started work on your login widget. If your website is managed by a third party, it’s a good idea to contact your web developer now and alert them of the deadline so that they can begin the work to make the changes detailed below.
So, what is the actual change?
Simply, each login widget used on credit union websites will now require a member to input both username and password on the same screen before proceeding to the security question and accessing the account. As a result of this, there are changes to the size of the widgets to accommodate both entry fields.
Currently, credit unions have several options to access online banking; first, a direct Login Button that simply redirects the user to the OBC to enter their username and password, or a Direct Login Widget of various versions. If your website has a widget in which members log in using their username first, then proceeding to the password verification; these are referred to as a Direct Login Widget 1.0, and as of March 11, 2018 will be discontinued entirely due to the update. The final way that members can log in to online banking, a Direct Login Widget 2.0, will be explored below.
How do I know if I have to take action?
Based on available data, it appears most credit unions are using either the Login Button (that connects the member to the OBC to complete login), or a Direct Login Widget 1.0 on their website. CUs whose website has a simple Login Button will not have to make any changes. But anyone using a Direct Login Widget 1.0 will be required to make a change. (Credit unions already using a Direct Login Widget 2.0 will not need to make any changes.) View this visual to determine which version of the widget you’re currently using.
I am using a Direct Login Widget 1.0. What are my options?
You need to change your website’s login widget before the March 11th implementation date. This will take coordination with your web developer and either CU*Answers Web Services or the Internet Retailer Support Center.
Your choices are:
- Change to Login Button
- Change to a Direct Login Widget 2.0
Are there any examples of the Direct Login Widget 2.0?
Certainly! After viewing the visual above to determine which widget you’re using on your website, you can also view Direct Login Widget 2.0 options. We also have an example of a website that is currently using a 2.0 widget from Verve, a Credit Union.
Can I make this change now?
Yes! We recommend and strongly encourage making this change as soon as you can to avoid getting caught in the last minute rush before March 11.
Ok, I’m ready to make the change. What do I do?
If you are hosted with CU*Answers Web Services, we will be contacting you to discuss your timing and options. If you use a third party to manage your website, you should contact them directly, as soon as possible.
If you are changing to a Login Button:
Simply coordinate with your web developer to make the change. You can make this change any time before March 11, and then coast through without any interruption. Build your custom login button today in the Web Services store.
If you are changing to a Direct Login Widget 2.0:
Coordinate with your web developer to make the change to your website. You will need to identify which Direct Login Widget best fits your website design – it is likely your website design will have to be adjusted to accommodate these larger widgets. Again, see examples of Direct Login Widget 2.0.
Keep in mind that not only will your web developer need to make room on your website for the larger Direct Login Widget 2.0, they will still need to coordinate with CU*Answers Web Services or the Internet Retailer Support Center to flip the switch to the new widget.
Likely, your web developer will prepare the changes and push them to your live server and then ask you to call the IRSC or Web Services to make the configuration change. This process should take less than 10 minutes.
- CU*Answers Web Services: 616-285-5711 x275
- Internet Retailer Support Center: 616-285-5711 x371
What happens if I don’t do anything before March 11?
This change will happen regardless of whether or not you’ve updated your website widget to a new version. As the widget sizes are changing, this will cause anyone with a discontinued widget to have sizing issues, which will not only make for a visually unappealing website, but may also cause members to not be able to log in using the widget, and surely will prompt calls to your credit union. Again, we strongly encourage beginning this process now so you’re done by the deadline!
Changes to It’s Me 247 Password Lengths
While the change mentioned above only impacts credit unions that are using certain login widgets, the password changes affect every credit union. On March 11 with the 18.03 release, we are implementing a change to increase the number of password characters allowed to 256. This change not only increases security for members accessing online and mobile banking, but it also is necessary for the further expansion and enhancement of the APIs offered by CU*Answers going forward.
While the character expansion is a great thing, the effect on member passwords is a bit trickier to explain: when creating or changing a password in online banking, the directions state to create passwords between a credit union configured minimum and 10 characters, but the system would allow members to create a password that was longer than 10, even though the password capture mechanism was only recognizing the first 10 characters of the password. Therefore, when we make the switch on March 11, online banking will begin to count beyond the 10 character limit and members entering passwords that they believe to be longer than the 10 characters will not be able to log in to online banking.
As an example, Jane Member believes her password is ilovemydog123. When Jane enters her password now, the system recognizes only the first 10 characters, ilovemydog, then uses that as the password, and ignores the rest. After March 11, when Jane enters her password like she usually does (ilovemydog123), the system will now see the remaining characters of her password, compare it to the 10 characters it expected, and will consider that a password mismatch.
Members with passwords that they believe are longer than 10 characters may continue to log in using just the first 10 characters of the existing password, but it might be better to encourage them to change their password on March 11.
Unfortunately, since the actual passwords are not stored on the system, we cannot tell you how many of your members may have password lengths that exceed 10 characters. So in order to help these members as much as possible, during January we’ll be announcing ways to assist your members in identifying whether or not they’ll have to change their password. Stay tuned for further announcements.
What will I have to do?
The good news is that the technical stuff will all be done behind the scenes, so aside from notifying your members of the change, and subsequently changing passwords as requested, there will be no additional steps to take.
How will my members be notified?
We recommend a member notification campaign to alert users of the change. We recommend keeping the notification simple, such as “Our Password Requirements Are Changing!” and including a brief explanation of the new maximum number of allowed characters, and what that means for the previous password. We will also publish an OBC alert as the date draws closer. We have created a sample email notification that you may use to alert your members here:
Our online banking is undergoing an upgrade! This exciting change will expand the limit on the length for your online banking password from 10 to 256 characters on March 11, 2018, which is great news for our online banking security.
However, this change may require you to change your password if you are currently in the habit of typing more than 10 characters for your password. Beginning March 11, those characters will now be counted and your password will be incorrect (remember, passwords must be between 8-10 characters now, but some of you are typing extra characters!)
A password longer than 10 characters that is entered on March 11, 2018 will not be able to access Online Banking and must be changed on that date. Prior to the change, you may notice a message in It’s Me 247 letting you know there’s an issue with your password length. If you see this message and must change your password on March 11, use the “I forgot my password” link in It’s Me 247 Online Banking and follow the prompts to create a new password. If you need assistance changing your password, contact the credit union.
What happens if we don’t do anything before the deadline?
Again, this change will happen regardless of whether or not you’ve notified members. We strongly recommend notifying your members early and often to avoid confusion and calls on March 11 and after. We will be focused on outreach to ensure that your credit union does not miss this important change.
*NEW* Warning message for users entering passwords longer than 10 characters
Beginning Wednesday, January 24, members typing more than 10 characters in the password entry field while logging in to It’s Me 247 will see a variation of a warning message that their password is over the 10 character limit. In addition to this message, typing more than 10 characters will result in disabling the “Continue/Login” button. This is crucial information, as members will not be able to log in if attempting to enter a password longer than 10 characters! This message will appear only until the 18.03 release on March 11, in an effort to prepare members for the permanent change implemented then.
This warning will be implemented with the other changes in the 18.01 OBC release, which include additional verbiage changes, such as “Change Question” in lieu of “Ask a different question”. Instead of showing text and a checkbox for “Hide my typing”, the option will be displayed graphically as a “Hide Typing” eye, but will function the same when selecting it. Unlike the character limit warning, these changes will remain in effect.
These changes impact the desktop, mobile web, and mobile app versions of It’s Me 247. Note that in order to see these changes on the mobile app, users must first update their app.
Use this link to view examples of what your member will see beginning Wednesday. This list is not inclusive of every login type, as your widget may vary in size, color, or style, but is to be used as a general guide.