Multifactor Authentication Overview

Overview

Multifactor authentication (MFA) verifies the identity of customers of a financial institution through a series of steps when they login to their accounts online. It is called multifactor authentication because the login mechanism consists of two or more forms of authentication. While single-factor authentication is based on the username and password, in multifactor authentication, consumers provide additional details for identification like answers to security questions or some dynamic information.

Financial institutions have started implementing one or other form of multifactor authentication to comply with this requirement from the Federal Financial Institutions Examination Council (FFIEC).

As financial institutions implement MFA, it becomes challenging to log in automatically to their websites. Yodlee has overcome these challenges by implementing smart solutions. The number of MFA-implemented websites being supported by Yodlee has been growing steadily.

The MFA Challenge

Yodlee applications typically store the User ID and Password required to log in to the sites of financial institutions (FIs) for access details. As sites started implementing MFA, consumers were prompted for additional authentication information during login. The common types of MFA are Q&A (Question and Answers), Matrix, Token, and CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) are described below.

  • Security questions and answers – The website asks the consumer to answer a fixed number of questions of their choice during registration and expects them to answer one or a limited number of questions during every login attempt.
  • Token ID – The website expects the consumer to provide the digits generated in real-time from a device in the consumer's possession.
  • Dynamic information – The website could ask for specific information, like the current balance.
  • CAPTCHA image – CAPTCHA is an automated test aimed at distinguishing the activities of humans and computers online. The website could expect the consumers to recognize and type a distorted word from an image displayed with a cluttered background.
  • Out of Band Authentication – Two separate networks working simultaneously are used to authenticate a consumer. A new access code - a One Time Access Code (OTAC) is sent to the consumer for that transaction through a phone call or SMS.

MFA Support by Yodlee

Yodlee supports the following list of login forms that are used in most financial institutions:

  • Simple authentication – login form that contains user ID and password.
  • Complex authentication – login form which includes:
    • Additional fields (mandatory or optional)
    • Multiple fields in a single row, for example, three text fields for DD, MM, and YYYY
    • Field(s) in a single row along with some constant value that will suffix or prefix the text field
    • OR condition, for example, username or account number
    • Consumers can choose questions or answers from a drop-down list
  • Additional Authentication - Login form with a challenge question, token, and CAPTCHA
  • Multi-level – login form which includes a combination of:
    • Multiple challenge questions
    • Image and a challenge question
    • Image keypad and a challenge question
    • OTP and a challenge question

The below is the list of login forms that are supported by very few financial institutions.  Especially, some of the smaller banks or credit unions:

  • One-time password (OTP) – where a consumer can choose to receive OTP through email, SMS, or phone. The other type being where the consumer receives the OTP only through email.
  • Grid-based – wherein the consumer is prompted to provide specific cell values from a grid of randomly generated characters.
  • Image answer – challenge question with multiple answers that are images.
  • Symmetric keypad – wherein the consumer has to click specific keys on the keypad image.
  • Card reader – wherein the consumer has to enter his or her card number or part of the card number along with a token number generated by the card reader.

Other Mechanisms to Support MFA

In the case of certain FIs, Yodlee achieves back-end support for MFA implementation by leveraging its special relationships with them. Rather than scraping the data on behalf of the consumer from their online banking sites, Yodlee gets data from the FIs through other confidential mechanisms. The MFA capabilities for consumers are still in place when they visit their online banking site.

Supported MFA Types

Yodlee provides several smart solutions to the MFA-implemented websites challenges, they include the following:

  • Security questions and answers
    • Yodlee offers a mechanism for a user to provide answers during an instant refresh.
    • Yodlee stores the questions & answers provided by the user and uses these Q&A for nightly cache refresh and subsequent logins.
    • Yodlee supports APIs to allow the user to edit the stored answers.
  • Token ID
    • Yodlee supports consumer-initiated refreshes (instant refreshes) by asking consumer to enter the code when they request account updates.
    • Yodlee cannot initiate any cache refresh for TokenID sites as it requires user input.
  • CAPTCHA Image
    • Yodlee retrieves the image from the website and presents it on its application, for consumers to type the code when they initiate account refresh.
    • Yodlee cannot initiate any cache refresh for CAPTCHA sites as it requires user input

Yodlee also supports cookie-based authentication (which involves authentication of Yodlee's requests based on an additional password and registered Yodlee IP addresses) with some of its partners' websites to gather data. There is also a data-feed relationship with some partners. 

MFA Examples 

Security Questions and Answers
 Token ID Authentication
 CAPTCHA Image Authentication