MFA FAQs

Why did B-M S FCU introduce this feature?

In the technology age we live in, fraudsters attempt to trick people into revealing their personal information by creating fake websites that look very much like the legitimate sites of financial institutions. This phenomenon has been called spoofing.

B-M S FCU has never been successfully hacked, and to the best of our knowledge, none of our members have been spoofed. However, identity theft is the fastest growing crime in the country. To ensure we proactively keep our members safe and secure, B-M S FCU has implemented this new security feature. PassMark offers a simple countermeasure to these attacks, as well as protection against other forms of identity fraud.

What is this new security feature?

PassMark Multi-Factor Authentication (MFA) is a new service that offers you added safety by helping ensure that only you can access your credit union account. MFA provides additional security beyond single factor (password) authentication.

Users of Net Access have always authenticated themselves to gain access. From now on, Net Access will in turn authenticate itself to you. You will know with every certainty that you are visiting our web site because you will be presented an image and phrase each time you log in to Net Access.

Where is the text box for my password?

You will enter your Net Access password on a subsequent page. Please enter your account number, click “Login”, and you will quickly go to the next screen.

If this is your first time logging on since we added this feature, you will be asked to select a PassMark image and pass phrase. You will then need to select three challenge questions and provide us with short answers. You will be asked one of these questions (randomly selected) if you access Net Access from a different computer, or if you delete your browser’s cookies.

Has my Net Access password changed?

No, your Net Access password remains unchanged. Your pass phrase is entirely separate from your regular Net Access login password.

How does PassMark Multi Factor Authentication work?

You and the credit union share a unique picture and text phrase (called PassMark) that no one else knows. In addition, we take a footprint of your computer. When you log in, look for the picture to verify that it is really our web site. If we recognize your computer, we will show you the picture, and you can enter your password to get in. If you don’t see the picture, double check to make sure it’s our web site by manually entering the credit union’s URL (www.bmsfcu.org) into your browser. If we don’t recognize your computer, we will double check to assure that it's really you. We do this by asking you a question to which only you would know the answer before showing you the PassMark and asking for your password.

A More Detailed Explanation:

The PassMark system utilizes two primary elements for authentication:

1. PassMark. A PassMark is a small image and text phrase, known only by the credit union’s site and you. When the site communicates with you, it displays your PassMark to authenticate itself to you. Since only the real site knows your unique PassMark, a fake site cannot display it.

2. Device ID. A device ID is a set of identifying data, including secure cookies and other forms of data, which are used to identify a specific computer. Because device ID’s can be accessed only by sites within the domain that originated them, fake sites cannot access a device ID.

These and other elements are combined to create an authentication system in the following way:

  • You select a unique PassMark image (which you can change just like you can change a password). When signing on to the credit union’s site, you look for your PassMark image before entering your password. This assures you that it is the real credit union site.
  • Before your PassMark is displayed, the credit union site checks that the device ID of your computer is registered to you. This protects against somebody trying to get your PassMark from the credit union site.
  • The credit union site also confirms that the device ID is registered to you before allowing you to sign onto the site, even with the correct password. This protects against an attacker with a stolen password (obtained by phishing or by other means), because the attacker does not have access to your computer.
  • When you want to register a new computer with the credit union site, the site will prompt you with a challenge question to which only you know the answer. If you provide a valid answer, you are shown the PassMark-password exchange. If you choose, the site will register the computer using a device ID upon successful login.

This achieves a very significant increase in security versus password authentication in that (a) You now have a simple method to authenticate the credit union’s web site, and (b) B-M S FCU must now authenticate you.

Above all, PassMark is relatively simple to use. Increased security is achieved without much change in your experience. Just use the site as usual and look for your PassMark at login. Occasionally you may be asked to re-validate who you are or to register a new computer.

How do I set up this new feature?

Setting up PassMark MFA on your PC is relatively easy. Just follow these steps:

  • Select your PassMark image. You have thousands to choose from our library, or you can even upload one of your own (see instructions below). Choose a pass phrase that reminds you of your PassMark image.
  • Answer three challenge questions of your choice. Challenge questions are displayed by using the drop-down arrows. They may be selected by clicking on the desired question. The question will auto-fill in the #1 box and you will be prompted to enter your answer. Use this same process to complete all three challenge questions.
  • The next screen will ask you to confirm your PassMark image and challenge questions. You may change them now, or also after you have enrolled.
  • You're done!

Can I log in to Net Access through another computer?

Yes. After setting up your PassMark information on your first computer, you can set up MFA on as many computers as you choose.

  • After entering your User ID, you will be asked one of the three challenge questions (randomly selected).
  • You will be asked if you choose to register this computer. You would register a home computer, but probably choose not to register an unprotected work computer, or a public computer (as found in a public library).
  • After successfully answering your challenge question, you will be shown your PassMark image and your security phrase. Your password box will be at the bottom of this screen.

Changing Your PassMark

The PassMark feature allows you to change your image or phrase at anytime and as often as you like. You can select from the many images available, or you can choose to upload your own picture. Your new image and phrase are then presented to you each time you log in.

To use existing pictures for your PassMark:

  • Click the Change PassMark button.
  • Select an image by Category or the Get More button or even one already displaying on screen.
  • Make any desired changes to your PassMark phrase.
  • Finally, click Submit to save any changes you’ve made.

To upload a picture for your PassMark:

  • Copy or save your picture in .gif or .jpg format onto your computer. *NOTE: Although we support uploading of images up to 5 MB in size, it is easiest to use a smaller file.
  • Click the Change PassMark button.
  • Click Browse button near the bottom of the page.
  • In the Choose File dialog box, browse and select the picture from your computer to upload.
  • When you've found the picture click the Open button.
  • The phrase “Upload Selected” will appear under the file name you just selected.
  • Make any desired changes to your PassMark phrase.
  • Finally, click Submit to save any changes you’ve made.

If I delete cookies from my browser, will I need to set my information up again?

No. We identify your computer through other means as well as cookies, so you can safely delete cookies without having to set up your access information again. However, you will be asked to answer one of your three randomly selected challenge questions the next time you log in.