Overview
Multifactor authentication (MFA) verifies the identity of customers of a financial institution through a series of steps when they log in to their accounts online. It is called multifactor authentication because the login mechanism consists of two or more forms of authentication. While the single factor authentication is based on the username and password, in multifactor authentication, consumers provides additional details for identification like answers to security questions or some dynamic information.
Financial institutions have started implementing one or other form of multifactor authentication to comply with this requirement from the Federal Financial Institutions Examination Council (FFIEC).
As financial institutions implement MFA, it becomes challenging to log in automatically to their websites. Yodlee has overcome these challenges by implementing smart solutions. The number of MFA-implemented websites being supported by Yodlee has been growing steadily.
The MFA Challenge
- Security questions and answers – The website asks the consumer to answer a fixed number of questions of their choice during registration and expects them to answer one or a limited number of questions during every login attempt.
- Token ID – The website expects the consumer to provide the digits generated in real time from a device in the consumer's possession.
- Dynamic information – The website could ask for specific information, like the current balance.
- CAPTCHA image – CAPTCHA is an automated test aimed at distinguishing activities of humans and computers online. The website could expect the consumers to recognize and type a distorted word from an image displayed with a cluttered background.
- Out of Band Authentication – Two separate networks working simultaneously are used to authenticate a consumer. A new access code - a One Time Access Code (OTAC) is sent to the consumer for that transaction through a phone call or SMS,
MFA support by Yodlee
Yodlee supports the following login forms:
Below is the list of login forms which are used in most of the financial institutions.
- Simple authentication – login form that contains user ID and password.
- Complex authentication – login form which includes:
-
Additional fields (mandatory or optional)
-
Multiple fields in a single row, for example, three text field for DD, MM and YYYY
-
Field(s) in a single row along with some constant value that will suffix or prefix thetext field
-
OR condition, for example, username or account numbe
-
Consumer can chose questions or answers from a drop-down list
-
- Additional Authentication - Login form with challenge question, token, and CAPTCHA
- Multi level – login form which includes a combination of:
- Multiple challenge questions
- Image and a challenge question
- Image keypad and a challenge question
- OTP and a challenge question
Below is the list of login forms which are supported by a very few financial institutions. Especially, some of the smaller banks or credit unions.
- One time password (OTP) – where a consumer can chose to receive OTP through email, SMS or phone. The other type being where the consumer receives the OTP only through email.
- Grid based – wherein the consumer is prompted to provide specific cell values from a grid of randomly generated characters.
- Image answer – challenge question with multiple answers that are images.
- Symmetric keypad – wherein the consumer has to click specific keys on the keypad image.
-
Card reader – wherein the consumer has to enter his or her card number or part of the card number along with a token number generated by the card reader.
Other Mechanisms to Support MFA
In the case of certain FIs, Yodlee achieves back-end support for MFA implementation by leveraging its special relationships with them. Rather than scraping the data on behalf of the consumer from their online banking sites, Yodlee gets data from the FIs through other confidential mechanisms. The MFA capabilities for consumers are still in place when they visit their online banking site.
Supported MFA Sites Statistics
Yodlee calculates sites in terms of sum_infos or content services. Sum_infos are unique for the different types of services provided by the FI such as banking, credit cards, loans, etc. Note that there could be multiple sum_infos associated with an FI's site.
Supported MFA Types
- Security questions and answers
- Yodlee offers a mechanism for a user to provide answers during an instant refresh.
- Yodlee stores the questions & answers provided by the user and uses these Q&A for nightly cache refresh and subsequent logins.
- Yodlee supports APIs to allow the user to edit the stored answers.
- Token ID
- Yodlee supports consumer-initiated refreshes (instant refreshes) by asking
consumer to enter the code when they request account updates.
-
Yodlee cannot initiate any cache refresh for TokenID sites as it requires user input
- Yodlee supports consumer-initiated refreshes (instant refreshes) by asking
-
CAPTCHA Image
-
Yodlee retrieves the image from the website and presents it on its application, for consumers to type the code when they initiate account refresh.
- Yodlee cannot initiate any cache refresh for CAPTCHA sites as it requires user input
-
MFA Examples
- Security questions and answers
- Token ID Authentication
- CAPTCHA Image Authentication