This recipe outlines our high-level goals and priorities for new authentication and validation strategies for our online/mobile banking tools.
See the separate recipe about account aggregation features for online banking!
Ready Now
- MFA for making changes to email addresses and personal information – activate this now via Tool #569!
- MFA for using P2P (enrollment and transfers) – activate this now via Tool #569!
- MFA for logging in to desktop/mobile banking – activate this now via Tool #569!
Projects In the Works
MFA for Password Resets
This project adds an optional two factor authentication method for password resets in both CU*BASE (initiated by the credit union) and online banking (initiated by the member). The password reset method will be configurable and if two factor authentication is activated, when the member clicks the “forgot password” button they will be prompted to enter a confirmation code sent via text or email.
This project will also revamp the ARU/Online Banking Password Reset feature (Tool #72 Update ARU/Online Banking Access or Tool #14 Member Personal Banker). Online banking password resets and ARU PIN resets will now be handled via separate tools and the process will be more intuitive and easier for a credit union to navigate.
Status as of November 2024: Project #60203 is currently in development.
MemberPass® for Online Authentication
We are in the research stages of a project with Bonifii that would allow CUs to extend the new MemberPass feature – available now for call centers via CU*BASE Phone Operator and Teller tools – to be leveraged as a method for authenticating online.
Status as of November 2024: Project is in design research.
NEW! Multiple Logins for Standard Online Banking
While our BizLink 247 business online banking product already supports multiple logins per membership, for employees of business memberships, the It’s Me 247 standard online banking does not have the ability to support multiple sets of login credentials. Credit unions have long asked for ways that joint owners could also be allowed a way to login, without the primary member having to share login credentials. Over the past year the teams have been brainstorming ways to address this need, and we’re getting closer and closer to a design.
Because of the different ways that CUs use secondary names, and the general state of the secondary names databases across the network, we have already made the decision that the logins will not be based on joint owner relationships. Instead, we would allow a member to set up additional sets of credentials (username & password combinations) they could give to joint owners as they wish. We’d create a new module so the primary member can activate/deactivate these credential sets as needed. When any of these credentials are used to log in, the user will see the exact same functionality as the primary member, other than the ability to add/delete other credential sets.
Status as of November 2024: Project is still in the design research stage.
Your chefs for this recipe: Dawn Moore and Brian Maurer
Hi Team,
Are there any new updates that you can share? We’re finishing up an OCU exam and we’ve a few related findings, including:
1. The online banking authentication process consists of username, password, and challenge questions. This method is considered a layered security approach and should be strengthened to include a multi-factor authentication (MFA) process…
2. The phone banking system which allows members to perform transactions should also have MFA enabled…
3. The platform allows concurrent logins/sessions…
Cheers!
Thanks for the question, Triston! I just updated the recipe to give a few additional status details on the two projects we have in the queue: MFA for personal info updates and for P2P functions. Adding MFA at member login is still in the studying phase as we work through things such as the additional costs to CUs for text messaging as well as the impact on third-party aggregators like Plaid and Mint.
As far as phone banking, this is the first we’ve heard about MFA for this system. Given that the audience for audio banking tends to be older members using landlines, I’m not sure how realistic it is to require an internet-based functionality in order to use it. We appreciate your bringing it to our attention, though. There’s nothing on our radar for that now, although we will be publishing some tips about security options that are already available to CUs for locking down phone banking a bit further. This tends to be a set-it-and-forget-it type service, but it does warrant a credit union’s attention just like any other member access point.
Not sure how to respond to the final one. Would need clarification as to what is meant by that enigmatic statement.
Hi Dawn,
‘The platform allows concurrent logins/sessions…’
Allowing active online banking sessions increases the risks to the credit union, and as mentioned, is an OCU exam finding.
1. Disallowing concurrent logins can reduce the risk of a session hijacking attack. If an attacker is able to steal a session token, if you disallow concurrent logins it would be invalidated when the legit user logged back in.
2. If a user leaves themselves logged in on a shared PC, invalidating that session the next time they login reduces the risk of another user of that PC gaining access to their session. If someone loses their phone with an active session.
3. The log-in history, may or may not accurately or completely identify the two sessions as being separate, so that security ‘feature’ in the member facing OLB may not be quite as helpful to identify unauthorized activity.
Thanks for fielding these.
-Triston
Thanks for the input, Triston! Because other CUs might get a similar question, we’ve compiled some suggested responses in this AnswerBook item.
Hi Dawn,
Will these controls be available for ItsMe247 and the BizzLink applications?
-tsk
Yep, that’s the plan!
In reviewing your information on MFA for Desktop/Mobile Banking logging in, I notice no mention of giving the user or member the option to use or not use MFA in their login process. That would allow members who utilize aggregators the ability to disable MFA and others to use it to increase their security on the internet. Are you considering allowing the user/member to enable or disable MFA?
No. This was designed as a global setting that affects all members. That’s not only based on the the significant additional complexity required to let individual members opt out, but also based on feedback from many CUs as to what examiners and security consultants are pushing for.
We’re aware that MFA will mean that screen-scrape aggregators will no longer be able to use a member’s credentials to access their accounts. That’s one of the reasons we set up the integration with Plaid. Using that allows the member to connect to thousands of applications via Plaid regardless of MFA, since it connects via a different secure path. We are in talks with Mastercard/Finicity for something similar, and are willing to work with other aggregators who want to make a similar arrangement.