MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets to you in PowerPoint format – please feel free to change to your FI’s template, add scenarios, etc. – anything you need to do to customize then for your FI. MFA for Business Banking – Security Code Managing MFA on the Admin Platform Maintenance Policies (affects entire commercial client base) Enable or disable MFA Once enabled, select the Effective Date Select the number of logins the users is allowed to select “Enroll me Later” Select if users will be able to change their own email addresses Maintenance Customer Maintenance (affects individual commercial client – these settings override the Policies settings) Enable or disabled MFA Once enabled, select the Effective Date Tips If an Effective Date was previously defined on the Customer Maintenance screen, then changing or adding the Effective Date on the Policies page will only override it if the date has not passed. The MFA Effective Date must be the current day’s date or future dated. We highly recommend that you set it 1-2 weeks out to allow all users to confirm/update their email address. The MFA Bypass Count with a 0-15 login count will allow the user to bypass the process of providing a Security Code or enrolling in the feature. o The ‘MFA Bypass Count’ count will not start until the effective date you have defined has been reached. o The Bypass Count can be set to zero if you want all of your users required to use MFA as soon as the Effective Date takes effect; otherwise, they will be required once they exceed the number of logins allowed. o The ‘MFA Bypass count’ will expire 365 after the ‘MFA Effective Date’ has been reached, even for users that have not reached the login count you selected. MFA for Business Banking – Security Code User Experience After MFA Enablement … But Before the Effective Date is Reached Step 1: User logs into the Customer Platform. Step 2: Next screen displays the user’s email address. User must either confirm that the address is correct, or if it’s not: change it here (if your FI allows users to change their own email address) OR contact their Company Admin and have them change it Step 3: User is taken to Business Banking. … After the Effective Date is Reached Step 1: User logs into the Customer Platform. Step 2: Next screen is the Enhanced Login Security Screen (See Quick Tip sheet for Enrolling a Computer) Tip If the user’s email address is incorrect after the effective date is reached, they will not be able to log into Business Banking. They must contact their company administrator and have them correct the address, then log in again. MFA for Business Banking – Security Code Enroll or Unenroll a Computer Enroll a Computer/Browser Step 1: After logging in, user is presented with the Enhanced Login Security screen. Step 2: Following the instructions, the user retrieves the Security Code from their email account, enters that code here, then checks the box to add extra security protection to this computer. Step 3: A success screen displays. Unenroll a Computer/Browser Step 1: Once logged in, user goes to Administration Login Credentials Unenroll Computers Step 2: On the Unenroll Computers screen, user selects either the first option (to unenroll this computer) or the second option (to unenroll all computers). Step 3: MFA removes the cookie from the user’s browser. Tips – Enroll a Computer Users can enroll as many computers and browsers as they wish. Once a user enrolls one computer, the user is now enrolled in MFA. Once a computer/browser is enrolled, the user will see nothing different at future logins to Business Banking from that computer using that browser. A user should only enroll a computer that is non-public and that they will use regularly to access Business Banking. Tips – Unenroll a Computer The user is still enrolled in MFA! So if they log in again from this or any unenrolled computer, they will not be allowed into their Business Banking session until they provide the challenge data (see Temporary Access tip sheet). User should only select this option if they are not going to be using this computer for Business Banking again. This ‘Unenroll Computers’ feature will only display if the financial institution has enabled MFA for the company and the ‘MFA Effective Date’ defined has been reached. MFA for Business Banking – Security Code Temporary Access Step 1: Enrolled user logs into Business Banking from an unenrolled computer or browser. Step 2: System sends a security code to the email address on file. Step 3: System displays a screen telling the user to check their email. Step 4: User retrieves security code from their email account. Step 5: User returns here, enters passcode, and is taken to Business Banking. Tips A user will only be challenged if they are an enrolled user, but are using an unenrolled computer (at the library, at a friend’s house, etc.) If a user wants to enroll the computer they are currently using, they can check the box to add enhanced security to this computer before continuing. Security codes expire after 30 minutes. If the MFA system sent the user a code less than 30 minutes ago and the code was not used, it will not automatically send a new one when the user tries to log in this time. If the user wasn’t able to retrieve that security code and wants a new one, there is a Request a New Security Code link. If the user enters the wrong code, an error message displays. The user can try again. This counts as a bad login attempt. Once a user successfully enters a security code and is able to login, that code becomes invalid. If the user cannot retrieve their code, they should contact their company administrator. The administrator can change the user’s email address to one where the user can retrieve the code. There is the possibility of the security code email being routed to a user’s junk mail folder. Users who do not get the security code should check that folder. MFA for Business Banking – Security Code MFA Reporting Reporting on MFA is accomplished using the following Transaction Types: Existing Transaction Types with MFA information: 1. Bad login 2. Usermaint modified MFA-Specific Transaction Types: 1. Unenroll computer 2. All computers unenrolled 3. New security code sent 4. One time security code entered 5. Computer enrolled 6. Login authenticated 7. User challenged 8. User computers unenrolled 9. Login credentials reset 10. Email address confirmed 11. Changed email address 12. Defer enrollment Tips Customer Platform = Administration Activity Reporting, FI Admin Platform = Billing & Reporting Customer Activity Reporting See transaction type details in the External Communication. MFA for Business Banking – Security Code Common Call Center Scenarios Q. I keep getting this prompt for something called Enhanced Login Security – what is this? A: “This is a new feature we are offering to help improve the security of your Business Banking account. It will help prevent unauthorized access to your account. Once you’ve enrolled your computer, you won’t even know it’s there! Would you like me to walk you through the process?” <Refer to the Enroll a Computer quick tip sheet> <The remaining questions should only come from users who are already enrolled in the MFA feature.> Q: I’m trying to get into my Business Banking account and there’s a screen asking for a passcode. Why? A: “Are you at a different computer than you usually use?” Walk them through the Temporary Access information, and have them enroll that computer if it’s one they will be using regularly. A: “Are you using a different browser than you usually use?” Walk them through the Temporary Access information, and have them enroll that browser if it’s one they will be using regularly. A: “Have you recently deleted all your cookies?” “You’ve also deleted the cookie that our security feature uses to recognize you.” Walk them through the Temporary Access information, and have them re-enroll. Q: I often use a computer at the library to check my business banking account. Should I go ahead and enroll that computer so I don’t have to enter a security code each time? A: “We recommend that you do not enroll a public computer. It is better to continue to enter the security code.” MFA for Business Banking – Security Code Common Call Center Scenarios Q: I have an employee at a conference and she’s trying to get into her Business Banking account, and it’s asking her for the security code. But she can’t get to her email account on that laptop to see the code. How does she get into Business Banking now? A: “Your company administrator can change her email address to one she can access via web mail. Your employee can then log in again, and this time she’ll be able to retrieve the security code.” <Refer to the Temporary Access quick tip sheet> General Troubleshooting Tips It’s common to suggest to users having Business Banking issues that they clear their cache and cookies. BUT – for a user enrolled in MFA, doing so will unenroll that computer (It does not unenroll the user from the MFA feature). You should warn them that they will need to re-enroll that computer once they have solved the other issue. If they don’t, they will be challenged each time. You can no longer ask an enrolled user for their username and password in order for you to recreate an issue, because now you will get challenged. Under no circumstances should you ask the user for their security code so that you can access their site. o Solution: If you want to recreate the issue, you can disable the MFA feature for this commercial client in the FI Admin Platform (if the user agrees), as this will remove the additional security validation to allow you to log in and troubleshoot. You can then re-enable the feature. Note: The business users will not be MFA Challenged as long as the user’s cookie is still valid.