General Login Process
On the main login screen, the customer will be asked to enter a username.
If the username entered is valid, the user is asked a random question from the list of three security questions. This same security question will be asked each time a login is attempted until it is answered correctly. If the user answers a certain number of times (to be set by financial institution) incorrectly, the account is locked out. On this screen, the user has the option of having the PC remembered for a certain number of days (to be set by financial institution), during which no security question will be asked again.
If the username entered is invalid, the user is asked a random question from the application’s full list of security questions. The security question may or may not be one associated with the user’s valid username. No matter what security answer is entered, the system will return an error of "Invalid answer for this user." The system never indicates if just a username is invalid to protect against username enumeration vulnerabilities.
If the security question is answered correctly, the user is directed to the password entry screen. This screen displays the personalized greeting as well as the security image to assure the user that they are about to enter their password into the correct site and not an impostor. If the user answers a certain number of times (to be set by financial institution) incorrectly, the account is locked out.
If the password is entered correctly, the user is logged in.
70000
|