During an IDMS login creation or password update for an Institution Admin user, we require a strong password that has 8 characters or more and contains numbers as well as lower- and uppercase letters. We do not store the actual passwords: we only store one-way encrypted password hashes. If an IDMS Admin user incorrectly enters an account password on multiple attempts, the account will be temporarily locked to prevent brute-force attacks. To further protect account access, two-factor authentication is available and can be turned on in the institution’s account settings. Following an email change, password change, or similar sensitive user account changes occur, the user is always notified in order to quickly be able to respond, should an account attack be undergoing.
During mobile app registration by an app user, we do not ask for a password. We authenticate with a one-time password to their email address. After registration, a user can add a locally stored PIN code for added security. There are multiple ways an app user can authenticate themselves when adding a card. They can use a unique identifier + security question or they can use SSO.