Login, Multi-Level Authentication and Security in ePayment

An additional layer of security has been added to ePayment called "multi-level authentication", similar to what other banking and financial institutions implement to safe-guard account information.  So there are two steps to the login process:

Step 1:  Login via the University of Hawaii Web Login Service. This is to authenticate the user based on UH Username and Password. Overall, this is the standard login page for many of the UH systemwide web applications.

Step 2:  The first time a user logs in to ePayment, he/she must set up their Level 2 Authentication which consists of 5 security question and answer sets and the selection of an image to be displayed upon subsequent login.  The latter is to reassure the user that the website is legitimate, meaning they should always see their selected image when logging in.  Note: These second-level security questions are different from the UH password reset questions.

Subsequently (in the image below), the user will be required to answer 1 of 5 of their secret questions, and will see the image they initially selected. Users will have 5 chances to answer correctly - after that their account will be locked and will need to be reset after identification is made via the Help Desk either by phone or in-person.

Note:  Typing text into the answer field will be hidden, meaning users will not see the answers in plain text.  Instead, the display will be similar to a password field so other people in the vicinity cannot see the answers.

Note:  The user is given the option to edit their second-level secuirty questions/answers and change their image selection on this page (by clicking the checkbox) because multi-level authentication data is not stored within ePayment.  Information Technology Services (ITS) developed this additional layer of security generically so that other applications can utilize it in the future.  The second-level security questions/answers will be the same for all applications as they are tied to a user's UH username.

Additional Security Information

Session Timeout - A user's login session will automatically timeout after 20 minutes of inactivity.  This means no typing and no movement of the mouse has been detected.  This is to better protect a user's information should they inadvertently forget to logout and leave their desk.

Secret Answer Encryption - All answers to the second-level security questions are encrypted before being saved.  This means that even ePayment Administrators cannot view the secret answers for any user.  Should a user fail to answer correctly after the maximum 5 login attempts, his/her account will be locked.  The only option is to contact the Help Desk and have them reset the account so the end user can update their information.

Activity Logging - Due to the sensitive nature of information being collected, user activity is tightly monitored.  This means information is being captured when actions on the website are triggered, i.e. adding, changing or inactivating bank information, changing personalized alerts, and failed login attempts.  This is why at least one form of personalized alerts is required - to keep the user informed of activity and/or suspicious activity on their account.

Bank Data Encryption and Storage - Your bank account information is protected with 128-bit encryption during transmission and when storing it in the ePayment database.  This information is stored in ePayment on a temporary basis only.  Once your account information passes the pre-note (account validation) process, it is transferred to the UH Kuali Financial System (KFS) and deleted from ePayment.

All UH disbursements, including to individuals, requires a person record in KFS.  EFT transactions obviously require the bank account information.  The ePayment process authorizes UH only for deposits to employee bank accounts, not withdrawals.  Access to bank information is restricted to a very small number of employees, all of whom have signed UH confidentiality agreements and have access to other sensitive personal information as a requirement of performing their duties.