Authentication FAQs

Mobicint Lesssons Authentication FAQs

FlexCU Authentication FAQs

This document provides technical information regarding the authentication features available within the FlexCU system.

 

Password Characteristics

 

  • Minimum Length: 4 characters 1

  • Maximum Length: 16 characters 2

  • Character Types: Passwords can be alphanumeric, but it’s not a requirement to use both. 3

  • Expiration Timeframes: Configurable expiration timeframes can be set for both passwords and the ‘Register PC’ option. 4

 

Mutual Authentication – Image Selection

 

  • Enrollment: During the enrollment process, members select an image from a provided set. 5

  • Login: The selected image is presented to the member at login as part of mutual authentication, confirming they are interacting with the FlexCU server. 6

  • Member Identity Verification: The member verifies their identity by providing a passphrase or answering a challenge question. 7

  • Layered Security: An additional security layer prompts the member to select their chosen image from a set of displayed images, as required by the authentication process. 8

 

Challenge Questions

 

  • Visibility and Modification: Credit unions can view and modify the list of challenge questions before the enrollment process is implemented. 9Members can also be allowed to enter personalized questions and answers. 10

  • Optional Cell Phone/Email Information: While using challenge questions, providing cell phone/email information is optional. 11

    • Requirement for Password Reset: A security contact address is required for members to reset forgotten passwords or other authentication data. 12If this information is not collected initially, it will be required if a member needs to reset authentication data. 13

    • Direct Access for New Members: With a security contact on file, new members can enable their access directly. 14

  • Security with Challenge Questions Only: The credit union determines if using only challenge questions provides sufficient security. Many institutions are expected to use mutual authentication (image display and challenge question) as their sole solution. 15Providing an email address/security contact offers the convenience of resetting forgotten authentication information. 16

 

Multi-Factor Authentication (MFA)

 

  • One-Time Code Delivery: MFA involves the delivery of a one-time code to a registered email address and includes the option to ‘Register PC’. 17

 

Registering a PC

 

  • Bill Pay Access with Registered PC: If a PC is registered, a one-time code will not be emailed each time Bill Pay is accessed, unless the registration is removed or expires. 18A registered PC allows access to actions defined as high risk without further authentication. 19

  • Requiring a Code for Bill Pay: If the credit union wishes to require a code every time Bill Pay is accessed, PC registration should not be allowed. 20

  • Additional Security Layers with Registered PC: Once a PC is registered, no additional layers of security (like challenge questions or passphrases) are required for that registered PC. 21

  • Function of a Registered PC: A registered PC functions as a “something the person has” component of multi-factor authentication, offering convenience to the member who has assumed responsibility for the PC’s security. 22

  • Multiple PC Registrations: Members can register more than one PC. 23

  • Multiple Members on a Single PC: If multiple members use the same PC, each member can register the PC for themselves, as registration is unique to the Online Banking User ID that creates it. 24Each account owner with a different User ID has the option to register the PC. 25

  • Registration Process: An encrypted cookie is created containing specific information to uniquely identify the credit union/User ID combination. 26

  • Un-registering a PC: A PC can be un-registered at any time from within Online Banking. 27

 

Email Address for One-Time Authentication Codes

 

  • Member Maintenance: Email addresses provided during initial setup can be maintained by the member within Online Banking. 28

  • Changing Email Addresses: If a member changes email addresses, they can update it within Online Banking. 29If they no longer have access to the old account, they will need to contact the credit union to change the email address. 30

  • Selection of Security Contact: If authentication requires an email address not provided at login, the member will select from a list of labels they assigned during initial setup or when maintaining security contact addresses (e.g., ‘Work’ or ‘Home’ for different email accounts). 31The temporary code will be sent to the selected account, and a page will display for the member to enter the code. 32

  • Email Address Storage: A member’s email address can be stored in two separate locations: within the member record in FLEX and at the user level within Online Banking. Changing one does NOT change the other. 33

 

Account Lockout and Reset

 

  • Unlocking Members: An option within Online Banking Maintenance clears the security data for an account. 34

  • Forgotten Password/Enroll Now: At the login screen, options like ‘Forgotten Password’ or ‘Enroll Now’ will send a temporary authentication code to the member via one of their security contact addresses. 35

  • Re-enrollment Process: The member will be guided through the enrollment process again. 36Once enrollment is complete, they will return to the login screen for standard login with their new information. 37

  • Credit Union Reset Capability: If a member is locked out using mutual authentication options, the credit union can clear the data. 38

  • New Member Setup: When the member logs in again after a reset, they will receive a temporary authentication code to validate their identity and will go through the initial setup process again, similar to a new member accessing their account for the first time. 39

 

Security Contact Information Storage

 

  • Location: Security contact addresses (email and phone number) are stored in the FTCONT file on the server, not in the member account number file. 40

  • Credit Union Access: Credit unions can query against the FTCONT file. 41

  • Marketing Module: The possibility of making this information available to the Marketing module would require further discussion. 42

 

System Monitoring and Reports

 

  • Credit Union Monitoring: Credit unions can monitor reports of disabled IP addresses and disabled accounts. 43

  • Member Account Activity Monitoring: Currently, members cannot monitor account activity such as reviewing transactions, checking login activity, or obtaining date, time, and IP address information for each account access. 44Future steps are anticipated in this direction. 45

 

Review of Authentication Process

 

  • FLEX Involvement: FLEX’s involvement in reviewing the authentication process is ongoing, driven by the credit union’s risk assessment and changes in internet technologies. 46

 

Policies, Procedures, and Controls

 

  • FLEX’s Role: FLEX does not dictate credit union policies or actions. 47Publishing security procedures is unlikely as each credit union has different needs and selected components of authentication, and it would raise further security concerns. 48

 

Authentication Options

 

  • Strategy 2 and 3: All options for each authentication type (Mutual Authentication or Multi-Factor Authentication) are available for selection under both Strategy 2 and Strategy 3. 49

    • Strategy 2: Selected options are required at login. 50

    • Strategy 3: Selected options are required only when the member selects an action the credit union has determined to be high risk. 51

Would you like to explore a practice problem related to setting up password characteristics for your credit union?