Since it is known that phone calls are insecure. What if a PEXA VOIP phone was misappropriated.

When will PEXA Users be able to establish a secure (trusted) connection with support staff?

Now there is more support staff - Thankfully!

However we no longer easily get to know all the support staff by name, or voice recognition, anymore.

Suggest maybe a simple reverse 'codeword', could be chosen or a 'phrase' (perhaps on the Secret Notes section of user profile) or ask 'what is my current PingID number', to ask the PEXA support staff person (as the call center ask user secret Q&A) to establish trust in talking with a legit PEXA support staff in both directions?

Increase the functionality of the Help or Feedback to have or request a support call/conversation within the workspace...

Make every day count, keep smiling!

Just a heads up...

https://www.gizchina.com/2019/12/29/security-hackers-successfully-hack-two-step-authentication/

Make every day count, keep smiling!

Thank you for the heads up @DMc. It’s situations like this that reaffirm how much we, as an industry, need to make cyber security our top priority. Things like (and not limited to) making sure your operating systems are up to date, using MFA for emails, PEXA, banking and etc, using systems like PEXA Key or confirming bank account details by phone, go a long way to help us as an industry stay cyber safe. Bypassing MFA authentication is extremely difficult, and we have additional security controls in place to protect PEXA as well as our members. I would be happy to chat about this in more detail with you, just ping me here.

Thanks and best regards,

Yair Mendelson

Is this an intended test, to see if people would click on an emailed link? LOL

Spear-phish?

Make every day count, keep smiling!

Am curious, Is the aging Digital-Certificate Dongle being considered (up for revision) to something bit more robust, device compatible, & future-ready?

It would not hurt to have 2FA on your password manager, especially since so many aging sites are yet to go passwordless...

https://www.yubico.com/au/product/yubikey-5-nfc/

Make every day count, keep smiling!

Hello @DMc 

Thanks, great insights.

Yes, we are always looking at new technologies and ways to improve our solutions. This is very timely, as we are reviewing ways to improve the signing experience. The digital certificate dongle has been a great solution for many years, but as you indicated, technology is constantly evolving and there may be better, device compatible, ways to both authenticate and sign documents in a PEXA Workspace.

I'll send you a direct message, as I'd love to hear whether you are using FIDO2 device for authentication.

Thanks again,

Brett

@BrettCS 

How about we go even better!

AFAIK, Yubico is the company behind the Yubikey which has been around now for 13 years. Yubico founded the industry consortium for FIDO2, the Passwordless Authentication standard.  It stands for Fast ID Online version 2. 

WebAuth is the standard within FIDO2 relating to Web Authentication.  This is what PEXA will be most interested in because PEXA's service is web-based.  

FIDO2 and WebAuthn are complex and implementation projects require a specialist team and typically require any months to deploy.  That team is then needed for the lifecycle of the system.

A short circuit to achieving this same outcome is deploying BankVault Passwordless.  This supports the WebAuthn standard.  Simple, low-cost deployment (in hours, not months) makes this 10-100x faster to deploy than competing solutions:

 - No change to backend infrastructure

 - No client software

 - No user setup (or Change Management)

It harnesses user mobile phones, saving costs, and the inconvenience of having to buy, setup, and always carry a dongle. 

Make every day count, keep smiling!