|
| | | Forum Newbie
Group: Forum Members
Last Login: 5/24/2007 2:22:43 PM
Posts: 3, Visits: 5 |
| | Do you have any sort of dual-factor authentication inside of WebCaster? This would require users who create a partial application and save it to use a second form of authentication to log in when they come back. I work for a bank that uses one of your competitor's products for online mortgage applications (which we then download into Point), and the OCC said that we need dual-factor authentication for it since a mortgage application holds so much confidential information. Your competitor said they have gotten the request from other banks but have yet to implement it. If you don't have this already, do you have any plans to do so? Please let me know. Thanks, Scott |
| |
| | | 
Sepal
Group: Moderators
Last Login: Yesterday @ 1:10:16 PM
Posts: 1,895, Visits: 14,871 |
| would CardSpace or OpenID work for this? Is there a specific law that requires the dual-factor authentication or just a company policy?
Disclaimer: This post carries no explicit or implied warranty. Nor is there any guarantee that the information contained in this post is accurate. It is offered in the hopes of helping others, but you use it at your own risk. The author will not be liable for any damages that occur as a result of using this post.  |
| |
| | | Forum Newbie
Group: Forum Members
Last Login: 5/24/2007 2:22:43 PM
Posts: 3, Visits: 5 |
| | Here's an article on the mandate: http://www.banktech.com/showArticle.jhtml?articleID=172302371 And here's the actual guidance by the FFIEC: http://www.ffiec.gov/pdf/authentication_guidance.pdf As part of this guidance, banks were instructed to conduct a risk assessment on all electronic delivery channels, so this included our current online mortgage application. Since it contains so much confidential data (account numbers, SSN, etc.), we (and the OCC) determined that it was a risk that we need to resolve. You have no doubt seen multi-factor authentiation implemented by online banking sites in the past 6 months. Most sites (including us) have gone with one of two methods-- (1) having the user set up a few challenge/response questions and if the user logs in from a different IP address or computer than normal, he is prompted to answer the questions before he can log in or (2) having the user select a picture that they are instructed to ensure is there before logging in. I talked with MortgageBot and instead of doing something like 1 or 2 above, they simply mask all account numbers and SSN numbers with asterisks after the user has input them. Therefore, if the login information is compromised, it wouldn't do the perpetrator any good. OpenID or CardSpace may work, but I don't think they are very prevalent yet, so they wouldn't be too useful to most users. Plus, I think one of the other options I mentioned above would be easier to implement anyway. Thoughts? |
| |
| | |
Sepal
Group: Moderators
Last Login: Yesterday @ 1:10:16 PM
Posts: 1,895, Visits: 14,871 |
| We'll have to see what the webcaster team thinks.
Disclaimer: This post carries no explicit or implied warranty. Nor is there any guarantee that the information contained in this post is accurate. It is offered in the hopes of helping others, but you use it at your own risk. The author will not be liable for any damages that occur as a result of using this post. |
| |
| | | Forum Newbie
Group: Forum Members
Last Login: 5/24/2007 2:22:43 PM
Posts: 3, Visits: 5 |
| | If you could let me know what comes of it, that would be great. We are contemplating switching to a new vendor since our current one is too slow in getting it implemented. |
| |
| | |
Sepal
Group: Moderators
Last Login: Yesterday @ 1:10:16 PM
Posts: 1,895, Visits: 14,871 |
| It is something that is a little to far off for me to provide any concrete information. But I will pass along +1 vote for Dual Facto Authentication.
Disclaimer: This post carries no explicit or implied warranty. Nor is there any guarantee that the information contained in this post is accurate. It is offered in the hopes of helping others, but you use it at your own risk. The author will not be liable for any damages that occur as a result of using this post. |
| |
|
|