Password tab

The password tab contains the security measures the bank has in place for their customer usage of the site. Options include lockout provisions, password expiration, password history, and password reset capability.

Note: Where "days" is a criterion, a day refers to a calendar day.

• Reject External Account After Invalid Verification Attempts (1-10): This field controls how many times users are allowed to enter invalid values during external account verification before the account is rejected. The field is limited to values between 1 and 10; the default value is three. This field is required. This field is only displayed when External Transfers are enabled.
• Lockout User after Invalid Password Attempts (1-10): Default Value=5. If five login attempts fail, the user will be locked out. The customer will not be able to login for a prescribed period. (Refer to Minutes to Lockout for details on the length of user lockout.) According to bank’s procedures, the numeric value in this field ranges from 1-10. Zero is invalid. 1 allows one attempt only, whereas 10 will allow 10 attempts.

  Note: You can make a change to this setting at any time. However, the change will not be in effect until your scheduled Import Time.

  If customers attempt to login with the same invalid password multiple times, it will not count against the threshold.

• Expire Password (0-Never; 1-999 days): Default Value=0. This numeric field defines the number of days before the customer is required to change their password. The default is zero, allowing a password requiring no periodic change. Values of 1-999 require the password change by the customer in that successive periodic time.
• Expire Password Cash Mgmt (0-Never; 1-999 days): Default Value =0. This numeric field defines the number of days before the customer is required to change their password if using Cash Management. The default is zero, allowing a password requiring no periodic change. Values of 1-999 require the password change by the customer in that successive periodic time.

  Note: When a customer has cash management enabled, they are considered a "cash management user" and this password alone is considered for their successful login.

• Expire Password Admin (0-Never; 1-999 days): Default Value =0. This numeric field defines the number of days before the administrator is required to change their password. The default is zero, allowing a password requiring no periodic change. Values of 1-999 require the password change by the customer in that successive periodic time.
• Days Before Disable/Delete Email (1-999 days: 0-Never): An email notification will be sent to the customer the number of calendar days selected prior to automatic disabling or deletion of an account.
• Disable Inactive Customers (0-Never; 1-999 days): Default Value=0. The numeric value entered is the total of consecutive days of inactivity that will cause the customer to become disabled (not deleted, just locked). Valid values are zero for no requirements of activity, and 1-999 indicating the bank’s policies.
• Delete Inactive Customers (1-999 days; 0-Never): Default Value=0. The numeric value entered is the total of consecutive days of inactivity that will cause the customer to become deleted. Valid values are zero for no requirements of activity, and 1-999 indicating the bank’s policies.
• Customer Password History (0-12 passwords): The numeric field indicates the number of previously used passwords for each customer that the system will store. This prevents the customer from reusing previous passwords. Valid values are 0-12. The default Value is zero, indicating the customer may reuse previous passwords, thus never actually changing the password. A value of 1-12 indicates bank’s policies on password retention. The passwords drop off as the number of stored equals this setting.
• Cash Mgmt Password History (0-12 passwords): The numeric field indicates the number of previously used passwords for each Cash Management customer that the system will store. This prevents the customer from reusing previous passwords. Valid values are 0-12. The default Value is zero, indicating the customer may reuse previous passwords, thus never actually changing the password. A value of 1-12 indicates bank’s policies on password retention. The passwords drop off as the number of stored equals this setting.
• Admin Password History (0-12 passwords): The numeric field indicates the number of previously used passwords for the admin that the system will store. This prevents the admin from reusing previous passwords. Valid values are 0-12. The default Value is zero, indicating the admin may reuse previous passwords, thus never actually changing the password. A value of 1-12 indicates bank’s policies on password retention. The passwords drop off as the number of stored equals this setting.
• Require Complex Passwords: Default value is True (or check box is checked). The password convention allows for two styles: simple or complex. The setting indicates the type of password customers are required to use.
  • Simple – requires minimum of 6 characters in length, containing at least one alpha and one numeric character. Setting for simple password is False or not checked.
  • Complex – requires minimum of 8 characters, containing at least one alpha, at least one upper case and one lower case, one numeric and at least one special character (!@#$%^&*). Setting for complex is True or checked.
• Show Forgot User Name Link: If the customer has forgotten their user name, selecting the Forgot user name link directs them to the process to retrieve that information by first entering the email address associated with the user name. The customer will only be able to complete this process if there is only one instance of their e-mail address in the system. If the e-mail address entered is not unique, the customer will receive a message letting them to know to contact the bank. Default Value= True (check box is checked).

  

• Show Forgot Password Link: If the customer has forgotten his password, clicking this link directs them to the process of resetting their password. After entering their user name, they will answer a security question. An email is then sent to the address on file containing a link. This link, when paired with the user name, allows the customer to enter a new password, effectively changing their password. Default Value = True (check box is checked).
• Prevent Auto-Fill for Username/Security Answer: When selected, this option will prevent browsers from retaining and auto-populating values for Digital Banking Username and Security Questions.
• Require Login from Bank Website: Default Value=False (check box unchecked) When this field is enabled, the customer will have to access their online banking site from the bank’s website. Otherwise, the customer accesses the Digital Banking site from its independent URL address.
• Keep Users with Account Related Alerts: When enabled, users will not be disabled or deleted based on days since their last login if they have account related alerts. When disabled, users will be disabled or deleted based on the number of days since their last login as the system always has. Please note: Days since last login applies to the latest login date from the following options; Last Login, Last Mobile Login, Last Text Banking Login.
• Keep Users with Scheduled Activity: When enabled, users with scheduled transfers, loan payments, wires, and/or ACH batches will not be disabled or deleted due to inactivity. Users who have scheduled activity will not be deleted or disabled due to inactivity if this new option is enabled for the bank. Users who have no scheduled activity will still be deleted or disabled as needed.
• Sync iPay with User Status: This switch will determine when to show the user’s Bill Pay Service Status under Customer Edit. If the switch is off it will show the status as Unknown. If it is on it will either show Active or Inactive depending on the status from the iPay Master site.
• Remember Device: This field will determine if the Security process for logging in will be shortened if the same device is used. The default value is IP-Based Cookie.
  • IP-Based Cookie – After choosing to Register this computer and answering the security question or code screen correctly once, users will not have to go through the security verification process when logging in, if they log in from the same device with the same IP address.
  • Cookie – After registering the device used to access Digital Banking, the device will be recognized for any IP address, and security questions will only display if the device has not been registered.
  • Disabled – This will disable the option and no devices will be able to be registered. Users will have to go through the security verification process every time.
  • Device Fingerprint - When the Device Fingerprint option is set as the Remember Device setting, the system will use specific information from the user’s browser and PC to create a unique device fingerprint. This device fingerprint is then logged if the user marks the “Remember this device” checkbox on the security question screen of the login process. The system will identify any new device and will remember the device until the device reaches its expiration date/time. Users will not be prompted with a security question when the system recognizes that they are logging in from a device that has been identified and has not expired. Users who use OOBA will not be prompted with the OOBA prompt when logging in from a device that has been identified and has not expired.

    The expiration date/time is based off of the “Days Till Security Cookie Expiration” field on the Security >> Password tab.

    Please note that the preceding statements regarding device fingerprints and the system remembering these fingerprints only apply if the bank is using the Device Fingerprint option and if the user marks the “Remember this device” checkbox during the login process.

    If the system notices differences in a device fingerprint, it will prompt the user with a security question or out-of-band authentication and will remember the new device fingerprint if the user marks the “Remember this device” checkbox during login.

    The system will also prompt the user with a security question or out-of-band authentication if the system does not recognize the device fingerprint being used during the login process. Users can chose to mark the “Remember this device” option to record that device’s fingerprint if they choose to do so since the system can store multiple devices for each user.

• Minutes to Lockout (0-999): When the customer has entered his password incorrectly for the prescribed number of times (Lockout User after Invalid Password Attempts) the system locks him out and he will not be able to attempt again at this time. This setting indicates the number of minutes the system has him locked out. After that amount of time, he will automatically be unlocked and able to attempt a login again. Valid entries are 0 (stay locked until the bank admin intervenes) and 1-999, number of minutes. Default Value=30.
• Minutes Until Session Expires (0-999): The numeric value is the number of minutes the customer must be idle before the session automatically times out and they must log back in. Valid entries are 0 (session will not expire) and 1-999, number of minutes. Default Value=30.
• Minutes Until Tab Authorization Times Out: This will cause a tab to prompt for a new Authenticator code after the set amount of time has elapsed.
• Days Until Security Cookie Expiration (1-365 days): When the customer logs in and wishes to register his device, a security cookie is placed on his computer. The cookie prevents the need for security questions each time they access the system. This numeric value is the number of days the security cookie is valid. After that time, the device is required to be registered again. Valid entries are 1-365, number of days. Default Value=1.
• Days Until Setup Key Expiration (0-999): During the initial bank setup, the customers receive an email with a link to the site, where they may register and login. This value is the number of days the link is valid. After expiration, the link will no longer allow the customer access to complete the initial setup and new link generated is required. Valid entries are 0 (no expiration) and 1-999, number of days. Default Value=1.
• Days Until Forgot User name Key Expiration (0-999): When the customer accesses the link for a forgotten user name, the link provided reveals the user name. This value is the number of days the link is valid. After expiration, the link will no longer reveal their username. Valid entries are 0 (no expiration) and 1-999, number of days. Default Value=1.
• Days Until Reset Password Key Expiration (0-999): When the customer chooses the forgot password link, an email is generated with a link redirecting him to reset his password. This value is the number of days the link is valid. After expiration, the link will no longer work for resetting the password. Valid entries are 0 (no expiration) and 1-999, number of days. Default Value=1.
• Days Until P2P Setup Key Expiration:
• Password Breach Check Threshold: The number of times a user's password can appear on the compromised list before they are prompted to change it. By default, the threshold is set to 100, but it can be changed. If the field is left blank, the threshold will be saved as "1." The Change Password prompt begins displaying for a user the first time the threshold is met or exceeded.
• User Deferred Force Password Change: Checking this box gives the user the ability to bypass the Change Password prompt and log into Digital Banking by clicking on the "Continue Without Changing Password" link. The user will continue to receive the prompt each time they log into Digital Banking until the password is changed. When this box is not checked, the user will be required to change their password the first time the prompt is presented before they can log into Digital Banking.

19438