MFA for Business Banking – Security Code

advertisement
MFA for Business Banking – Security Code
Multifactor Authentication:
Quick Tip Sheets
Note to Financial Institutions:
We are providing these QT sheets to you in
PowerPoint format – please feel free to
change to your FI’s template, add scenarios,
etc. – anything you need to do to customize
then for your FI.
MFA for Business Banking – Security Code
Managing MFA on the Admin Platform
Maintenance  Policies (affects entire commercial client
base)
Enable or disable MFA
Once enabled, select the Effective Date
Select the number of logins the users is allowed to select
“Enroll me Later”
Select if users will be able to change their own email
addresses
Maintenance  Customer Maintenance (affects individual
commercial client – these settings override the
Policies settings)
Enable or disabled MFA
Once enabled, select the Effective Date
Tips

If an Effective Date was previously defined on the Customer
Maintenance screen, then changing or adding the Effective Date on the
Policies page will only override it if the date has not passed.

The MFA Effective Date must be the current day’s date or future dated.
We highly recommend that you set it 1-2 weeks out to allow all users
to confirm/update their email address.

The MFA Bypass Count with a 0-15 login count will allow the user to
bypass the process of providing a Security Code or enrolling in the
feature.
o The ‘MFA Bypass Count’ count will not start until the effective date
you have defined has been reached.
o The Bypass Count can be set to zero if you want all of your users
required to use MFA as soon as the Effective Date takes effect;
otherwise, they will be required once they exceed the number of
logins allowed.
o The ‘MFA Bypass count’ will expire 365 after the ‘MFA Effective
Date’ has been reached, even for users that have not reached the
login count you selected.
MFA for Business Banking – Security Code
User Experience After MFA Enablement
… But Before the Effective Date is Reached
Step 1: User logs into the Customer Platform.
Step 2: Next screen displays the user’s email address. User must
either confirm that the address is correct, or if it’s not:
 change it here (if your FI allows users to change their
own email address) OR
 contact their Company Admin and have them change it
Step 3: User is taken to Business Banking.
… After the Effective Date is Reached
Step 1: User logs into the Customer Platform.
Step 2: Next screen is the Enhanced Login Security Screen
(See Quick Tip sheet for Enrolling a Computer)
Tip

If the user’s email address is incorrect after the effective date is
reached, they will not be able to log into Business Banking. They must
contact their company administrator and have them correct the
address, then log in again.
MFA for Business Banking – Security Code
Enroll or Unenroll a Computer
Enroll a Computer/Browser
Step 1: After logging in, user is presented with the Enhanced
Login Security screen.
Step 2: Following the instructions, the user retrieves the Security
Code from their email account, enters that code here, then
checks the box to add extra security protection to this
computer.
Step 3: A success screen displays.
Unenroll a Computer/Browser
Step 1: Once logged in, user goes to Administration  Login
Credentials  Unenroll Computers
Step 2: On the Unenroll Computers screen, user selects either the
first option (to unenroll this computer) or the second option
(to unenroll all computers).
Step 3: MFA removes the cookie from the user’s browser.
Tips – Enroll a Computer

Users can enroll as many computers and browsers as they wish.

Once a user enrolls one computer, the user is now enrolled in MFA.

Once a computer/browser is enrolled, the user will see nothing different
at future logins to Business Banking from that computer using that
browser.

A user should only enroll a computer that is non-public and that they
will use regularly to access Business Banking.
Tips – Unenroll a Computer

The user is still enrolled in MFA! So if they log in again from this or any
unenrolled computer, they will not be allowed into their Business
Banking session until they provide the challenge data (see Temporary
Access tip sheet).

User should only select this option if they are not going to be using this
computer for Business Banking again.

This ‘Unenroll Computers’ feature will only display if the financial
institution has enabled MFA for the company and the ‘MFA Effective
Date’ defined has been reached.
MFA for Business Banking – Security Code
Temporary Access
Step 1: Enrolled user logs into Business Banking from an
unenrolled computer or browser.
Step 2: System sends a security code to the email address on
file.
Step 3: System displays a screen telling the user to check their
email.
Step 4: User retrieves security code from their email account.
Step 5: User returns here, enters passcode, and is taken to
Business Banking.
Tips









A user will only be challenged if they are an enrolled user, but are
using an unenrolled computer (at the library, at a friend’s house, etc.)
If a user wants to enroll the computer they are currently using, they
can check the box to add enhanced security to this computer before
continuing.
Security codes expire after 30 minutes.
If the MFA system sent the user a code less than 30 minutes ago and
the code was not used, it will not automatically send a new one when
the user tries to log in this time.
If the user wasn’t able to retrieve that security code and wants a new
one, there is a Request a New Security Code link.
If the user enters the wrong code, an error message displays. The
user can try again. This counts as a bad login attempt.
Once a user successfully enters a security code and is able to login,
that code becomes invalid.
If the user cannot retrieve their code, they should contact their
company administrator. The administrator can change the user’s email
address to one where the user can retrieve the code.
There is the possibility of the security code email being routed to a
user’s junk mail folder. Users who do not get the security code should
check that folder.
MFA for Business Banking – Security Code
MFA Reporting
Reporting on MFA is accomplished using the following
Transaction Types:
Existing Transaction Types with MFA information:
1. Bad login
2. Usermaint modified
MFA-Specific Transaction Types:
1. Unenroll computer
2. All computers unenrolled
3. New security code sent
4. One time security code entered
5. Computer enrolled
6. Login authenticated
7. User challenged
8. User computers unenrolled
9. Login credentials reset
10. Email address confirmed
11. Changed email address
12. Defer enrollment
Tips

Customer Platform = Administration


Activity Reporting,
FI Admin Platform = Billing & Reporting
Customer Activity
Reporting
See transaction type details in the External Communication.
MFA for Business Banking – Security Code
Common Call Center Scenarios
Q. I keep getting this prompt for something called Enhanced Login
Security – what is this?
A: “This is a new feature we are offering to help improve the security of your
Business Banking account. It will help prevent unauthorized access to
your account. Once you’ve enrolled your computer, you won’t even know
it’s there! Would you like me to walk you through the process?” <Refer
to the Enroll a Computer quick tip sheet>
<The remaining questions should only come from users who are already
enrolled in the MFA feature.>
Q: I’m trying to get into my Business Banking account and there’s a
screen asking for a passcode. Why?
A: “Are you at a different computer than you usually use?”
 Walk them through the Temporary Access information, and have them
enroll that computer if it’s one they will be using regularly.
A: “Are you using a different browser than you usually use?”
 Walk them through the Temporary Access information, and have them
enroll that browser if it’s one they will be using regularly.
A: “Have you recently deleted all your cookies?”
 “You’ve also deleted the cookie that our security feature uses to
recognize you.” Walk them through the Temporary Access information,
and have them re-enroll.
Q: I often use a computer at the library to check my business
banking account. Should I go ahead and enroll that computer so I
don’t have to enter a security code each time?
A: “We recommend that you do not enroll a public computer. It is better to
continue to enter the security code.”
MFA for Business Banking – Security Code
Common Call Center Scenarios
Q: I have an employee at a conference and she’s trying to get into
her Business Banking account, and it’s asking her for the security
code. But she can’t get to her email account on that laptop to see
the code. How does she get into Business Banking now?
A: “Your company administrator can change her email address to one she
can access via web mail. Your employee can then log in again, and this
time she’ll be able to retrieve the security code.” <Refer to the Temporary
Access quick tip sheet>


General Troubleshooting Tips
It’s common to suggest to users having Business Banking issues that they
clear their cache and cookies. BUT – for a user enrolled in MFA, doing so
will unenroll that computer (It does not unenroll the user from the MFA
feature). You should warn them that they will need to re-enroll that
computer once they have solved the other issue. If they don’t, they will
be challenged each time.
You can no longer ask an enrolled user for their username and password
in order for you to recreate an issue, because now you will get
challenged. Under no circumstances should you ask the user for their
security code so that you can access their site.
o Solution: If you want to recreate the issue, you can disable the MFA
feature for this commercial client in the FI Admin Platform (if the
user agrees), as this will remove the additional security validation to
allow you to log in and troubleshoot. You can then re-enable the
feature. Note: The business users will not be MFA Challenged as long
as the user’s cookie is still valid.
Download