Banking Security – Multi-Factor Authentication
Windsor Federal Savings, in accordance with federal banking
requirements, is adding an additional layer of
security to WinOnLine, the online banking and bill
In addition to the Sign-On ID and password,
this multi-layered, high level security program is
designed to provide enhanced online banking
security to further protect your personal account
information when banking online.
Currently, when you sign on to WinOnLine, you are identified
by your Sign-On ID and you authenticate who you
are with your password (this would be considered
In Multi-Factor Authentication, you provide
a second authenticating factor.
Some web sites issue physical tokens, some
use challenge phrases, some use random number
generators and each method has its pros and cons.
Windsor Federal Savings has carefully
weighed its options and has decided to use a
digital certificate based or challenge phrase
method for the second form of authentication.
The benefits of this option are:
physical devices such as tokens to carry.
create your own challenge phrases; we do not
force you to answer questions specified by us
but rather enable you to create your own
security questions and answers.
Certificates use 128 bit encryption technology
to not only verify who you are, but also to
verify your computer.
can install a certificate on more than one
computer if necessary.
Why is this additional
layer of online security necessary?
Federal regulators are mandating that financial institutions
implement a second layer of security for online
banking in order to protect your accounts from
computer hackers and identity thieves.
What is a digital
Digital certificates are security tokens that provide an
additional means of proving your identity in
electronic transactions, much like a driver’s
license does in face-to-face interactions.
Digital certificates protect the integrity
of the data and provide a behind-the-scenes
transparent Sign-On method that won’t
How will this security
feature be implemented?
After we turn on the Multi-Factor Authentication solution,
upon your first Sign-On, you will be automatically
guided through the registration process.
This simple process will only take a few
minutes and will only need to be completed one
process begins with the creation of three (3)
security questions with unique responses
containing a minimum of five (5) characters.
When creating the responses to your
security questions, we recommend that you make the
response a single word to avoid spacing/typo
errors that may cause sign on issues.
You will also be asked to download a digital certificate that
will uniquely identify your computer and prevent
you from having to answer a security question with
Registering your computer with a
certificate tells us that it is you, not a hacker
from an unknown computer attempting to access your
process will not cause your user name or password
to be changed and we will not contact you by phone
or email to obtain additional security
Do not install
certificates on a public computer (library,
Internet café, etc….).
If you need to sign on from a public
computer, you will be allowed access by answering
one of your security questions.
What do I do on or
after Monday, June 23rd, if I do not
have the time to complete the registration process
but I need access to my accounts through WinOnLine?
The registration process associated with the Multi-Factor
Authentication solution is voluntary through
Sunday, August 10, 2008 but thereafter
authentication will be required in order to access
your accounts through WinOnLine.
From June 23rd through August 10th,
the registration process can be bypassed by
signing on to WinOnLine with your Sign-On ID and
password and then once the registration page
appears, scroll to the bottom of the page and
click on “Continue without it” to access your
accounts through WinOnLine.
highly recommend that you register at your
earliest possible convenience and not delay until
the mandatory date when any unanticipated problems
with the registration process could become a
significant inconvenience to you.
When is it appropriate
to download a digital certificate?
You can download a digital certificate on up to four (4)
computers that you normally use to access your
you need to download a digital certificate to a
different computer other than the one you
initially registered, you will need to respond to
the security questions again so we can verify your
identity, then you can download a digital
certificate to that computer and access your
you should not download a digital certificate to a
public or infrequently used computer.
What is a public computer?
A computer that is accessible to the general public is
considered to be a public computer.
Examples are computers in libraries, school
computer labs, hotels, airports and cafes. Please DO
NOT install certificates on these types of
you need to Sign-On to a public computer, you will
be allowed access by answering your security
you should never download a digital certificate to
a public computer.
Do I need to select the
digital certificate each time that I Sign-On to
Not necessarily. If
you have multiple digital certificates on the same
computer, then you must select the appropriate
digital certificate which can be determined by the
appearance of the last two (2) characters in your
Sign-On ID. However,
if you have only one (1) digital certificate on
your computer, you may suppress the pop-up screen
with the digital certificate from your desktop.
On Internet Explorer select “Tools” > “Internet
Options” > “Security” > “Custom
Level” and then scroll down to “Don’t prompt
for client certificate selection when no
certificates or only one certificate exists” and
Please note that
changes to browser settings can affect the
functionality of your browser and therefore all
such changes should be done at your own
If necessary, can I
delete a digital certificate from my computer?
Yes. On Internet
Explorer select “Tools” > “Internet
Options” > “Content” >
“Certificates” and then highlight the
certificate that you would like to remove and
When will you ask me a
We will ask you a security question when you sign on from an
unregistered computer (such as a public or
infrequently used computer) or when you sign on
from a computer that you have not yet registered.
What do I do if I am
Signing-On and I have forgotten the correct answer
to the security question?
When you complete the registration process for the
Multi-Factor Authentication solution, you are
asked to provide up to two e-mail addresses to
which a one-time reset code will be sent enabling
you to reset your security questions and answers.
If you forget the answer to the security
question that is presented, you will see on the
same screen below the security question, a button
labeled “Send a one-time password”.
Click on this button and then select the
e-mail address where you want us to send the reset
code, then click “Continue”.
Click “Continue” again and you will be
returned to the security question screen.
In a few minutes, the e-mail will arrive
from Customer Support / Windsor Federal Savings
with your one-time reset code.
Below the security question, is a button
labeled “Enter one-time password”.
Click on this button and then enter your
one-time reset code.
This reset code will enable you to pass
through the authentication process one-time and/or
reset your security questions and answers.
What is the difference
between the secret question/phrase under
“Options” in WinOnLine and the security
questions in this security solution?
The secret question/phrase under “Options” in WinOnLine
is used to authenticate you when you have clicked
“Forgot Password” located in the WinOnLine
Sign-On box and are requesting that your WinOnLine
password be e-mailed to you.
However, the security questions in this
Multi-Factor Authentication solution are used to
authenticate you when you have already signed on
with your Sign-On ID and password but a digital
certificate is not present on the computer that
you are using to access WinOnLine.
In essence, the secret question/phrase is
associated with the first layer of security (User
Name and password) and the security questions are
associated with the enhanced security solution.