During an IDMS login creation or password update for an IDMS Admin user, we require a strong password that contains the following, 8 characters or more, at least one number, and special character as well as a lower and uppercase letter. We do not store the actual passwords: we only store one-way encrypted hashes. If an IDMS Admin user incorrectly enters an account password on multiple attempts, the account will be temporarily locked to prevent brute-force attacks. To further protect account access, two-factor authentication is available and can be turned on in the institution’s account settings. Following an email change, password change, or similar sensitive user account changes occur, the user is always notified in order to quickly be able to respond, should an account attack be undergoing.
During mobile app registration by an app user, we do not ask for a password. We authenticate with a one-time password sent to the user’s email address. After registration, a user can add a locally stored PIN code for added security or use the device’s built-in biometrics to secure the application. There are multiple ways an app user can authenticate themselves when adding a card. They can use a unique identifier + security question or they can use Single Sign-On to authenticate themselves with their identity provider.