With online security on the minds of many credit union executives and the FFIEC guidance deadline for strong online authentication on the horizon, credit unions are looking for solutions that not only satisfy the federal guidance, but also balance security with end-user convenience. Further, as credit unions work through the critical phases of the initial risk assessment process and make decisions based on the outcome of that assessment, they should also start planning an effective strategy for a smooth rollout.

As strong authentication solutions are chosen and implemented, it's important for credit unions to consider best practices that address deployment before, during and after the new security rollout is complete. In turn, this will help ensure a stronger security offering as well as the buy-in and approval of members.

The following recommendations and suggestions are provided based on Corillian's experience implementing and observing the deployment of its strong authentication system at various credit unions in the industry, as well as the company's expertise from building and deploying online banking systems of various types during the past decade.

Recommended For You

Before launching the new strong authentication system, there are a number of critical steps to consider for your plan. Ideally, your rollout will include a communication and educational component that reaches your users in advance of the actual system implementation. In addition, the challenges and rules established should be well thought out.

1. Proactively Communicate

The communications campaign around the rollout of your authentication technology should begin well before the actual launch. It is important to involve your members from the beginning. Explain why a stronger security solution, beyond the user name and password, is necessary. Highlight the recent federal authentication requirements as well as the benefits your users will gain from the authentication technology. Your communications should involve your members and incent them to co-own the security process. Member involvement and acceptance of the need prior to deployment will help to ensure a smooth transition for your users.

Include a high-level overview of what users should expect on your Web site. Be sure to keep this information simple, brief and concise. For those users who want to know more, include a separate FAQ (frequently asked questions) section. You might consider using screen shots or a video walkthrough of the new system. Be sure your overviews don't divulge any of the secrets of the system-such as the question pool or other critical components.

2. Create Thoughtful Challenge Questions

Selecting a pool of thoughtful and meaningful challenge questions is an important part of a successful implementation. Choose questions that members "know" and avoid questions that require answers that will typically change over time.

Select questions with answers that are unique from user to user, and ensure your questions do not have a fixed list of possible answers such as questions with numerical responses. You should also include questions that allow a user and spouse to know and remember the answers. Ensure that your questions are user-friendly and relevant across cultures and languages. For example, questions regarding middle names and school mascots do not always apply to the masses.

Again, involving your members in the question selection process prior to launch will help ensure a smooth deployment. Ask a small segment of your member base for input on your challenge questions before you fully implement your new security technology. This is often accomplished during a limited pilot rollout or similar process.

Finally, it is important to consider the size of your question and answer pool. At enrollment, your members will choose five or six questions. To provide flexibility and answer relevance we recommend a minimum pool size of 25 questions, as the amount of questions generally needs to be four to five times the size of the number of questions that users will have to register.

3. Carefully Define Business Rules

Design your setup and key business rules to ensure your rules consistently support your risk analysis and related tactical control plan. Before launch, consider how you want to handle things such as anonymous proxies, and any countries that should be blocked or always challenged. You also may want to consider issuing a mandatory challenge question if a user has not been challenged for a given period of time-30 days for example. This approach will remind users that the tool is actively running and the process is working. Most importantly, whatever configuration parameters you arrive at should address the specific needs that you identified in your risk assessment process. The Launch 1. Testing It is important to evaluate your authentication technology with one or more test groups prior to launching to the entire member base. Many institutions will first pilot with a group on internal employees and then expand the pilot to include a smaller group of members. By executing an early test phase, you will have an opportunity to leverage the results of the pilot to refine your communication plan and drive any system fine-tuning efforts. That information can prove quite valuable in checking your assumptions and ensuring a smoother rollout when the time comes for the larger volume of users to be impacted. 2. Implementation Consider rolling your strong authentication solution out to your user base in phases, rather than all at once. Taking this phased approach can reduce excessive load on your call center. Consider launching your new authentication technology separately from other online banking system releases and upgrades. Too much change at one time can be difficult for members to handle. It is important to anticipate the impact to your user base and strike a balance between the change and outcome, if you need to rollout multiple changes in a single release.

3. Enrollment

During user enrollment in the strong authentication system, consider making sign-up optional. For example, you might choose to allow users to enroll at their convenience by offering a flexibility option to skip the enrollment step for some specified period of time, after which enrollment would be required. It's important to set a deadline to ensure your members are all enrolled by a target date. Use friendly Web and e-mail reminders or phone calls to help your members meet your institution's deadline.

Communication needs to be an ongoing priority throughout your roll-out phase. When a user opts to enroll, present a Web page explaining concisely how the process will work. Be sure to underscore the importance of selecting memorable questions and answers since the same responses will be required for access to your Web site. For members wanting more information about this process and why it's necessary, include a link to the FFIEC or NCUA Web site. Post Rollout

After launch, closely monitor the challenge rate and the top reasons for challenges. Once this assessment is complete, use the data to fine-tune your administrative configuration accordingly. We recommend leveraging your security product vendor for assistance with tuning and future planning.

Following these best practices can help ensure successful deployment of your strong authentication technology and, most importantly, the acceptance of your member base.

NOT FOR REPRINT

© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more inforrmation visit Asset & Logo Licensing.