► Multiple MFA workflows

BetterMFA supports multiple authentication models. Out of the “box”, BetterMFA supports the following authentication workflows …

1. Basic - just username and password
2. Challenge - username, password, challenge questions, device signatures, personal phrases
3. OTP via email - username, password, plus a one-time-password (OTP) delivered via email
4. OTP via SMS - username, password, plus a one-time-password (OTP) delivered via SMS
5. OTP via Token - username, password, plus a one-time-password (OTP) from a hardware token
6. OTP via Soft Token - username, password, plus a one-time-password (OTP) from a software token
7. OTP via IM - username, password, plus a one-time-password (OTP) delivered via instant message

► Here’s how it works

You (the financial institution) decide what the default MFA authentication workflow model will be for users. We anticipate most will choose the Challenge workflow as it is most likely what you are used to. You then decide what additional authentication workflows you want to allow your members to self select, from no options to all options.

For example, to operate like Bank of America ™ (as of 1/2008), you would make the Challenge workflow the default, and the OTP via SMS workflow an optional self select upgrade for consumers.

As another example, to operate like ETrade ™ (as of 1/2008), you would make Basic or Challenge the default workflow, and then allow consumers to self select into the OTP via Token workflow. By all accounts, ETrade has seen tremendous response from their optional hardware token security.

ETrade offers (doesn’t require) a free hardware token if a customer has over a certain amount of assets with the company. If a user has less than the threshold amount, ETrade offers (not forces) a hardware token for a modest fee to cover the expense. The end result is better security and happier users (since they have a choice). In ETrade’s experience, many users choose the tokens.

► Why so many choices?

We have been asked by several people “why so many authentication workflows, can’t you just recommend one?” Sure, we can make a recommendation: make the Challenge workflow the default, and allow users to self select up to the OTP via SMS or OTP via token workflows. But this is just a recommendation. After all, we don’t know what your financial institution’s key demographics are (Gen Y, retired folks, tech savvy or not).

We think the best approach is to focus on a strong solution with flexibility, provide some great out of the box MFA workflows, and foster a community of security and industry professionals to collaborate on the future of BetterMFA. Again, why would we know more than an entire community of IT professionals that use these solutions every day?

► A word on hardware tokens

We often hear people say that “consumers don’t want a pocket full of tokens”.

You know what? We agree completely. Consumers do not want to be forced into something like a hardware token. But giving them a choice, is completely different.

Most consumers have between 3 or 4 financial institutions. Typically, one is their “PFI” (primary financial institution). This is often where most of their money is. Given a choice, a consumer may very well want the enhanced security of a hardware token for their PFI. And at the very least, would appreciate being given the choice and opportunity for this security upgrade.

► Aren’t hardware tokens expensive and difficult to manage?

They can be. Typically there is the cost of the individual tokens (which has come down in price over the past couple of years). Then there is the cost and complexity of a token management software solution. This software is where the real cost often lies.

BetterMFA has addressed this by including built it token management for OATH based HOTP tokens. That’s right, you do not even need another server or expensive software package, it’s all just baked right into BetterMFA. All you need are the tokens.