_____________
No. 2-Step Verification is an optional service for any Financial Institutions wishing to enroll.
Personal
Business
Investing
About Us
2-Step Verification – Making Your Online Login More Secure
We are making our online banking more secure by improving the way you log-in to your account. With the upcoming implementation of a 2-step verification process, we will add an extra layer of protection to ensure you are the only person who can access your online banking. Enrollment will be open to Members as of March 21, 2022.
What is 2-step verification?
2-step verification is an enhanced security measure to your online login process which adds an extra layer of security to your account.
After you enter your password, a one-time use verification code will be sent by text message or email to the registered mobile phone number or email address associated with your online banking profile. The code must be entered during your login attempt to access your online account.
What do you need to do?
Members will be required to enroll in 2-step verification in late March 2022. When enrollment opens you will need to do the following:
- Log-in to your online banking account
- Complete the Enable 2-Step Verification enrollment questions
- Enter your email address or mobile phone number to receive your verification code
- Enter the verification code sent to you by text or email to complete the registration
What will change?
Once your mobile phone number and email address have been verified and your online profile has been updated you will no longer need to answer your security questions when you log in to the UCU online or mobile banking platforms.
You will only be asked to enter a verification code when confirmation of your identity is needed, such as when you log in online from an unfamiliar device or log in from a new location.
FAQ
Will 2-Step Verification be mandatory for all financial institutions using MemberDirect (apart from MemberDirect Business Service that is)?
If a Financial Institution subscribes to 2-Step Verification, is enrollment for 2-Step Verification mandatory for all its MemberDirect customers (apart from MemberDirectBusiness Service customers that is)?
If a Financial Institution subscribes to 2-Step Verification, is enrollment for 2-Step Verification mandatory for all its MemberDirect customers (apart from MemberDirect Business Service customers that is)?
How long is the grace period during which MemberDirect customers can defer enrollment in 2-Step Verification?
This is configurable for the individual Financial Institution. Consult with your implementation team for your Financial Institution’s specific grace period duration.
Is the grace period for deferring enrollment in 2-Step Verification the same for individual MemberDirect customers?
Yes. All the Financial Institution’s MemberDirect customers who are required to enroll in 2-Step Verification have the same grace period to complete their enrollment.
When does the grace period begin and end?
The grace period begins when the Financial Institution goes live with 2-Step Verification. The Financial Institution can set a specific date on which the grace period for customer enrollment ends.
If a customer defers enrolling for 2-Step Verification during their first login after the Financial Institution goes live with 2-Step Verification, will they continue to be prompted to enroll at every login until they finally enroll?
Yes. Until they enroll, each time a customer logs in, they will be presented with the enrollment screen.
What happens if the customer fails to log in and enroll for 2-Step Verification during the grace period and the grace period lapses?
The customer will be presented at their next login with the enrollment screen that no longer includes an option to defer enrollment. They must complete enrollment to continue to log in to online or mobile banking.
Will the customer still be required to keep security questions in place on their banking profile?
No. After enrollment in 2-Step Verification, challenge questions and answers are no longer relevant to customer authentications.
Can a customer register for 2-Step Verification via both SMS and email
Yes. During their initial enrollment, a customer can register only one of either a mobile phone number or an email address to receive 2-Step Verification notifications. However, after enrollment, they can update their contact information from the Profiles and Preferences screen options to add the second notification channel.
During enrollment, can the customer register both a mobile phone number and an email address at the same time on the same enrollment screen?
No. Currently, with the enrollment screen, the customer registers either a mobile phone number or an email address, but not both. It is, however, on the roadmap as a planned future enhancement to allow both channels to be registered at the same time during enrollment.
Will duplicate verification code notifications be sent both by SMS and email when customers have both a mobile phone number and an email address registered under 2-Step Verification?
No. During each stepped-up authentication where the customer has multiple notification channels registered, the user will be presented with a Select Verification Method screen where they must select which channel (SMS or email) they wish to be notified through.
Can I register for more than one phone number or email address?
No, not yet. This first implementation of 2-Step Verification is limited, for expediency, to a single mobile phone number and a single email registration. It is on Central 1’s roadmap to extend this feature to allow registration of up to three mobile phone numbers and three email addresses per customer.
Can a customer opt to use 2-Step Verification all the time, and not just when RSA determines that a login is high risk?
Not yet. Currently, the RSA security software alone determines when stepped-up authentication is required. However, it is on Central 1’s roadmap to provide customers with an option to extend stepped-up to all logins.
Will 2-Step Verification be used to authenticate other high-risk activities besides high-risk logins?
Not yet, but it is on Central 1’s roadmap to extend Increased Authentication to other high-risk activities such as changing sensitive data such as bill payee profiles, customer contact information, and Interac e-Transfer® recipient profiles or completing high-risk payments or transfers.
Are there any activities unique to MemberDirect Small Business (MDSB) customers that will be authenticated under 2-Step Verification?
Not yet, but it is on Central 1’s roadmap to review MDSB-unique activities, such as high-risk business transactions, for inclusion in the planned extension of Increased Authentication forauthenticating other activities besides logins
Is there an option for a customer to designate a device as a “trusted” device, exempting logins from that device from stepped-up authentications?
No. Any login assessed as high risk will be subject to stepped-up authentications, regardless of the device being used to log in from. The allowing for exempt trusted devices is currently under consideration as a potential future enhancement to Increased Authentication using 2-Step Verification.
How many attempts does a customer get to verify a verification code?
The default and recommended setting for maximum attempts to validate a verification code is three. This limit DOES NOT APPLY during customer 2-Step Verification enrollment or duringcustomer updates to their 2-Step Verification settings; it only occurs during regular logins when stepped-up authentication occurs.
If a customer’s account is locked out after failing to provide the correct verification code, how can the account be unlocked?
The Financial Institution should follow its existing procedures for authenticating customers who have failed authentication and, once the customer is authenticated, an administrator can unlock the customer’s account using the Unlock option on the Customer Service screen in the secure site MD Authentication Admin application.
Will the pre-defined Alert “Digital banking Account Locked Out – Incorrect response to Security Question” be updated or removed from the system when challenge question and answer is no longer relevant?
Yes, eventually, after all customers have migrated away from challenge questions and answers.
A customer has opted for 2-Step Verification via SMS and has lost their mobile phone. They tried to update their 2-Step Verification settings through digital banking but cannot complete this because the verification code notification is going to the lost phone. What can they do? What will the Financial Institution support people do to assist them?
The Financial Institution will follow its existing procedures for authenticating customers who have failed authentication. Once the customer is authenticated, the Financial Institution canunenroll the customer from Increased Authentication. This is done using the Unenroll option on the Customer Service screen in the secure site MD Authentication Admin application. The customer will thereafter be required to re-enroll for 2-Step Verification at their next login.
What should a customer do if they do not receive the SMS text message or email with the verification code?
After waiting a reasonable amount of time for the notification to arrive, the customer should try re-sending the code using the “send new code” option on the Enter Your Verification Codescreen.
How long should the customer reasonably wait for an SMS text message or email to arrive before reporting it to their Financial Institution?
In most cases, notifications should arrive almost immediately, but a customer should wait several minutes before concluding that a notification is not coming.
How long before a verification code notification expires and is no longer valid?
The verification code is valid for 10 minutes from the time it is generated. If the customer enters and submits after that time, they will receive an error message.
Will enrollment in 2-Step Verification affect any of the customers’ current digital banking configurations or settings?
Yes. Customer configurations or settings related to authenticated logins, such as enabling Touch ID and QuickView on the mobile app and enabling memorized accounts (the “Remember Me” option selected during a login) in digital banking, must all be re-configured by customers after enrollment in 2-Step Verification.
During enrollment, when the 2-Step Verification enrollment screen is displayed to a customer, will that customer’s known mobile phone number and/or email address be pre-populated on the screen?
No, the customer must provide this information from scratch. However, pre-populating this information is an option that is currently under consideration as a possible future enhancement to Increased Authentication using 2-Step Verification.
- log in