MFA Overview | Yodlee Developer Portal

Overview

Multifactor authentication (MFA) verifies the identity of customers of a financial institution through a series of steps when they log in to their accounts online. It is called multifactor authentication because the login mechanism consists of two or more forms of authentication. While the single factor authentication is based on the username and password, in multifactor authentication, consumers provides additional details for identification like answers to security questions or some dynamic information.

Financial institutions have started implementing one or other form of multifactor authentication to comply with this requirement from the Federal Financial Institutions Examination Council (FFIEC).

As financial institutions implement MFA, it becomes challenging to log in automatically to their websites. Yodlee has overcome these challenges by implementing smart solutions. The number of MFA-implemented websites being supported by Yodlee has been growing steadily.

The MFA Challenge

Yodlee applications typically store the User ID and Password required to log in to the sites of financial institutions (FIs) for accessing details. As sites started implementing MFA, consumers were prompted for additional authentication information during login. The common types of MFA are Q&A (Question and Answers), Matrix, Token and CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) are described below.

Security questions and answers – The website asks the consumer to answer a fixed number of questions of their choice during registration and expects them to answer one or a limited number of questions during every login attempt.
Token ID – The website expects the consumer to provide the digits generated in real time from a device in the consumer's possession.
Dynamic information – The website could ask for specific information, like the current balance.
CAPTCHA image – CAPTCHA is an automated test aimed at distinguishing activities of humans and computers online. The website could expect the consumers to recognize and type a distorted word from an image displayed with a cluttered background.
Out of Band Authentication – Two separate networks working simultaneously are used to authenticate a consumer. A new access code - a One Time Access Code (OTAC) is sent to the consumer for that transaction through a phone call or SMS,

MFA support by Yodlee

Yodlee supports the following login forms:

Below is the list of login forms which are used in most of the financial institutions.

Simple authentication – login form that contains user ID and password.
Complex authentication – login form which includes:
- Additional fields (mandatory or optional)
- Multiple fields in a single row, for example, three text field for DD, MM and YYYY
- Field(s) in a single row along with some constant value that will suffix or prefix the
  
  text field
- OR condition, for example, username or account numbe
- Consumer can chose questions or answers from a drop-down list
Additional Authentication - Login form with challenge question, token, and CAPTCHA
Multi level – login form which includes a combination of:
- Multiple challenge questions
- Image and a challenge question
- Image keypad and a challenge question
- OTP and a challenge question

Below is the list of login forms which are supported by a very few financial institutions. Especially, some of the smaller banks or credit unions.

One time password (OTP) – where a consumer can chose to receive OTP through email, SMS or phone. The other type being where the consumer receives the OTP only through email.
Grid based – wherein the consumer is prompted to provide specific cell values from a grid of randomly generated characters.
Image answer – challenge question with multiple answers that are images.
Symmetric keypad – wherein the consumer has to click specific keys on the keypad image.
Card reader – wherein the consumer has to enter his or her card number or part of the card number along with a token number generated by the card reader.

Other Mechanisms to Support MFA

In the case of certain FIs, Yodlee achieves back-end support for MFA implementation by leveraging its special relationships with them. Rather than scraping the data on behalf of the consumer from their online banking sites, Yodlee gets data from the FIs through other confidential mechanisms. The MFA capabilities for consumers are still in place when they visit their online banking site.

Supported MFA Sites Statistics

Yodlee calculates sites in terms of sum_infos or content services. Sum_infos are unique for the different types of services provided by the FI such as banking, credit cards, loans, etc. Note that there could be multiple sum_infos associated with an FI's site.

Supported MFA Types

Yodlee provides several smart solutions to the MFA-implemented websites challenges. They include:

Security questions and answers
- Yodlee offers a mechanism for a user to provide answers during an instant refresh.
- Yodlee stores the questions & answers provided by the user and uses these Q&A for nightly cache refresh and subsequent logins.
- Yodlee supports APIs to allow the user to edit the stored answers.
Token ID
- Yodlee supports consumer-initiated refreshes (instant refreshes) by asking
  consumer to enter the code when they request account updates.
- Yodlee cannot initiate any cache refresh for TokenID sites as it requires user input
CAPTCHA Image
- Yodlee retrieves the image from the website and presents it on its application, for consumers to type the code when they initiate account refresh.
- Yodlee cannot initiate any cache refresh for CAPTCHA sites as it requires user input

Yodlee also supports cookie-based authentication (which involves authentication of Yodlee's requests based on an additional password and registered Yodlee IP addresses) with some of its partners' websites to gather data. There is also a data-feed relationship with some partners.

MFA Examples

Security questions and answers

Token ID Authentication

CAPTCHA Image Authentication