CAFT Multifactor Authentication

Please reassure your users that the recommended Microsoft and Google Authenticator apps function to provide one-time passcodes, and are free, safe and secure apps that are used globally in corporate environments. If they have questions about the apps, you may direct them to these support pages for Microsoft and Google.  You may also emphasize that multifactor authentication (MFA) is quickly becoming an industry standard to keep user online accounts secure, and a key way to help prevent cyberfraud crimes and client losses. For this reason, we are requesting CAFT Originator/users, as well as staff that support CAFT Originator/users, to use these apps on their devices.

If there is a strong resistance to using these apps, there are alternative methods of authentication that will work with a desktop computer browser. Users can search their own Browser plugin store for “Authenticator”, however, users should use caution with browser plugins for email authentication, as it is not considered the most secure form of authentication and why it is not available as part of CAFT MFA.

PPJV has introduced multifactor authentication (MFA) to the CAFT platform to further increase cybersecurity and deter fraudulent access.

Previously, users would log in directly to CAFT by entering their user ID and password into the CAFT home page. Now, users arriving at the CAFT site (caft.paymentsanytime.com) will be first redirected to an MFA login process, where they will need to input a time-based, one-time password (TOTP) generated via an authenticator app. Once MFA verification is complete, users will reach the CAFT login screen to which they are accustomed, where they will enter their user ID and password credentials as before.

Multifactor authentication (MFA) adds a layer of security to online accounts. It requires users verify their identity through two or more authentication process. For example, the CAFT MFA process requires users to input a time-based, one-time password (TOTP) generated by an authentication app, such as Microsoft or Google Authenticator, installed on their device.

MFA deters illegitimate access to an account. While a fraudster might be able to obtain an account holder’s login credentials through a remote data breach or phishing attack, it is significantly harder for the fraudster to also gain access to a user’s device where the TOTP authentication code is generated.

MFA applications like that now being used for CAFT are sometimes also called two-step verification or 2FA because there are two factors required for verification (password and one-time code).

To enable MFA, your first step will be to download an authentication app to your smartphone or tablet.

An authentication app is an app designed to provide special time-based one-time passwords whenever you log into a registered application. These temporary codes or passwords help ensure a fraudster can’t gain access to your accounts even if your password is compromised.

The CAFT MFA is configured to work with several different authentication apps. We recommend using either Microsoft Authenticator or Google Authenticator. Both apps are free, secure and easily downloadable from the Apple and Google app stores. (Note, you may have previously installed one of these authentication apps to access a different account, such as for work or banking. If so, the app can also be used for CAFT MFA).

Once you’ve installed an authenticator app to your device, you’ll be able to register for CAFT MFA. The first time you access CAFT after December 6, you’ll be shown a QR code. Start your authentication app and scan the QR code: this will register your CAFT MFA account with the app. From this point forward, you can check the authenticator app for the code you’ll need each time you log into CAFT. (Refer to the CAFT MFA User Guide sent to you along with these FAQs for a detailed walkthrough of this process, including screenshots).

There may be a number of reasons for a QR code not scanning in properly such as the camera being slightly out of focus or too far away. If this happens, try again, making the QR code larger if possible (though still within the designated square) and holding the camera steady for a few seconds.

If the QR code simply won’t work, there is an alternative method. You can click the green ‘Trouble Scanning?” link under the QR code. An alphanumeric code will appear which you can type into the authenticator app in lieu of scanning the QR code.

The authenticator app generates a new one-time code every 30 seconds. Make sure you give yourself enough time to enter the code before it resets (i.e., if there are only a few seconds left on a timer, wait for a fresh code and input that). Also, if you have multiple accounts on your Authenticator app, make sure to select the code under the CAFT account.

If you see the error message “Too many failed codes. Wait for minutes before retrying” it means you’ve tried too many times with the wrong or expired code. You will need to wait about 15 minutes before trying again.

Your MFA account will become locked after too many failed login attempts. If this happens, contact CAFT support at CommercialServices@ACU.ca and they can assist unlocking your account.

When you register your CAFT account in your authenticator app, you will be given a one-time-use recovery code. This code can be used exactly once to log in when you don’t have access to your authenticator app. (For example, you’ve misplaced your smartphone or it has run out of power).

If you lose your recovery code and need to log in without the device on which you installed the authenticator app, contact CAFT support at CommercialServices@ACU.ca and they will assist you.

You will need to have your account reset. Contact CAFT support at CommercialServices@ACU.ca and they can assist you.

You should enter your usual CAFT username password combination—the same one you would have used prior to the implementation of MFA. Note: you will need to enter your username/password credentials twice: once at the beginning of the new MFA process, and again when you arrive at the main CAFT login screen.

If your password has expired, you will still be able to enrol in MFA and will have the opportunity to update your password once you reach the CAFT login page.

However, if you’ve forgotten your password, you will not be able to reset the password on your own. You will need to request a password reset through your regular CAFT support contacts.

You will need to enter your one-time MFA code almost every time you login to CAFT. The one exception is if you logout and log back in during a single session—i.e., you log in on the same browser and device within 8 hours after your first login. In this case, you’ll skip MFA and go straight to the regular CAFT login page.

When prompted for your one-time code during CAFT MFA login, you will need to open the authentication app on your phone and enter the 6-digit code that appears under your CAFT account.

There are MFA systems some users may be familiar with that work by sending a code automatically via SMS-text message or phone call—these systems use a different authentication approach based on users enrolling their phone numbers with the system. However, CAFT MFA is based on the use of a secure authentication app, and you will need to obtain the code from the app when you login.

Phishing is the use of a fake email designed to appear like it's coming from a legitimate source. Spoofing is the creation of a fake web page, also designed to appear as if it’s legitimate. Fraudsters use these tools to try and harvest sensitive information like user IDs and passwords.

If you’ve received an email that is saying it’s from ACU or Assiniboine Credit Union, double-check the email domain (i.e., the part after the @ symbol). It should be ACU.ca with no additional symbols or characters. When possible, or if in doubt, confirm the domain against prior communications with us you know to be legitimate.

When logging into CAFT, if you are ever in doubt you’ve arrived to the right web page, check the link for the CAFT website provided when you initially enrolled into CAFT, or any bookmarks you may have created. You will be able to confirm that you are in the right place by carefully checking the correct URL for CAFT: caft.paymentsanytime.com.

A mobile device such as a smartphone or tablet is advised so you can download and install one of the recommended authentication apps described in the CAFT MFA User Guide you received (also see the FAQ on ‘How do I enable MFA?’).

If you do not currently have access to a mobile device, obtaining a low-cost smartphone or tablet is one solution. Another alternative is to use the Authenticator Plugin. This is a third-party plugin that installs into Google Chrome or Microsoft Edge browsers and performs the same functions as the aforementioned authenticator apps but within a Web browser.

Follow along with your CAFT MFA User Guide and the MFA login process should be quick and work without issue. However, to be on the safe side, you may wish to build in as much time as possible ahead of your first transaction after December 6 in case an issue arises that needs to be worked through. For example, if you normally run your payroll transactions late afternoon on a Friday, you may wish to try and run the transaction earlier in the day, or at least attempt to successfully log onto CAFT ahead of time.

MFA is an important tool for cybersecurity that we are implementing to help keep your information and accounts safe. However, cybersecurity is everyone’s responsibility and it is important that we all follow cybersafe practices whenever dealing with sensitive online information.

• Pay attention to URLs. Ensure you are always using the correct URL for any banking services or other financial transactions that are done online.
• Do not communicate or keep a copy of your usernames and/or passwords for any of your financial services (or other secure logins) in your email account. A common way of gaining illegitimate access to a secured account is through the discovery of sensitive information within a compromised email account.
• Enable multifactor authentication (MFA) on your email account, if available, for an added layer of security – for example, so you are prompted to enter a security code sent to your phone whenever you attempt to login to your email from a new device.
• Be very cautious of unsolicited emails asking for your login credentials and never click on a link to login from an email you were not expecting. 
• Even if an email appears to be coming from a legitimate sender, if it involves making changes to login or banking information, verify the legitimacy with the sender via another communication method (e.g. phone call).
• Always log out of your secure accounts, such as online banking, when using public or shared computers or devices. If possible, avoid using public wi-fi for sensitive activities.

There are also many good resources on individual and business cybersecurity online. A good one to check out is GetCyberSafe.ca.