Where plan sponsors and recordkeepers stand on multi-factor authentication

Kim ShumateThought Leadership

Most HR managers are familiar with qualified retirement plans, which are widely offered by companies of all sizes and available to employees of all job levels. Those include 401(k)s and pension plans described in Section 401(a) of the Internal Revenue Code that are subject to ERISA guidelines.

Our firm recently interviewed mid- to large-sized plan sponsors and 401(k) recordkeepers to better understand their use of multi-factor authentication (MFA) as a tactic for mitigating defined-contribution plan fraud and protecting sensitive participant and plan information.

Across the board, the companies we spoke with are under increasing pressure to update their 401(k) security practices to meet the evolving demands of state and federal regulators, vendor management expectations and ever-more-creative fraudsters.

The findings from our research, summarized here, offer a starting point for plan sponsors interested in updating their own practices.

What is multi-factor authentication?

Multi-factor authentication is any method for granting access to a system that requires the user to verify his or her identity with two or more pieces of information.

These pieces of information, or factors, can be categorized as follows:

  • knowledge-based (something only the user knows)
  • possession-based (something only the user has)
  • inherence-based (a biometric or behavioral trait, such as a fingerprint)
  • location-based

For example, banks use two-factor authentication to limit access at ATMs to users who can confirm their identity using both possession-based information (a bank card) and knowledge-based information (a PIN).

MFA is fast becoming the standard

Every recordkeeper we spoke with offers MFA as a means of controlling access to participant information. In fact, recordkeepers universally described MFA as a “best practice” and “standard requirement” for 401(k) plan security.

Of the plan sponsors we interviewed, one-third have already implemented MFA with their defined-contribution recordkeeper. The rest described themselves as being in the process of implementing MFA or planning to implement in the near future.

The use of MFA to control not just participant access, but also plan sponsor access to plan information, is gaining traction. Plan sponsors say they are tightening internal security practices in other ways, too; for instance, most now require unique user IDs and passwords for each authorized human resources team member, whereas in the past HR teams may have shared a single login.

Two factors are the norm — for now

The recordkeepers we interviewed currently offer two-factor authentication that combines knowledge-based and possession-based authentication factors.

The knowledge-based factor is the account username and password, and the possession-based factor is usually a verification code provided to the participant via text message, email, or mail. In some instances — such as when the participant’s email address or cell phone number is not on file — call center representatives may provide verification codes to participants over the phone once the caller is verified.

Recordkeepers are actively exploring more innovative authentication factors, including biometric factors such as voice identification, fingerprint scanning, and retina-scanning technology. While few recordkeepers have this ability today, several vendors we spoke with plan to have these options in place by the end of 2019.

Security protocols are not “one size fits all”

According to the plan sponsors and recordkeepers we interviewed, MFA is typically required during initial account registration and any time a user logs in from an unknown device or browser. In addition, some recordkeepers require MFA whenever a user requests a distribution or withdrawal.

While these practices are the most common, plan sponsors may be surprised to learn that some recordkeepers are willing to customize MFA protocols according to the desires and risk tolerance of the individual client.

For instance, plan sponsors may decide they will only allow verification codes to be emailed if the participant’s email address hasn’t been changed in the last 30 days. However, plan sponsors that have been the target of frequent email hacks may choose not to allow email delivery of verification codes at all, relying on the US Postal Service for its more secure, albeit slower, method of delivery.

Several companies we spoke with have bolstered their MFA protocols with additional security measures, like requiring users to create stronger passwords that include mixed capitalization, numbers, and special characters.

Others have implemented waiting periods of two weeks to 60 days from the time a distribution is requested to the time it is paid out, especially if the direct deposit information or mailing address on the account was recently updated.

During the waiting period, participants are notified of all recent changes to their account data and asked to contact the recordkeeper if the changes were not authorized.

Such measures, which deliberately slow down distribution and loan processing, reflect a growing preference among plan sponsors to prioritize security and fraud-resistance over speed of service.

Communication is key to participant satisfaction

Transitions are never easy. Plan sponsors should expect that some participants will be reluctant to embrace a new MFA protocol, but early and frequent communication can help pave the way for success.

Every effort should be made to obtain participant cell phone numbers and email addresses in advance of implementing MFA. The plan sponsors we spoke with found a 60-day campaign was generally sufficient to encourage participants to update their contact information. Participant communications should explain the importance of the new security protocol and outline the transition process.

During the communication campaign, configure your participant portal so that participants who haven’t provided a cell phone number or email address are redirected to update their contact information as soon as they log in.

Once MFA is implemented, new participants should be required to provide a cell phone number or email address. Existing users who have not provided this information should be directed to contact the call center for assistance and authentication, which typically consists of sending a verification code to the user via text or postal mail.

Plan sponsors report that participants have fewer complaints about MFA when given the opportunity to specify their preferred mode of contact. For instance, participants might prefer to receive verification codes by text message over email, or they may wish to use a different phone number than the primary one listed on the account.

Inevitably, a few participants will take exception to sharing their personal cell phone number or grumble about waiting to receive a verification code via snail mail, but most will appreciate the extra security measures once their importance is explained.

Belts are tightening

Almost all of the companies we spoke with acknowledged a heightened focus on 401(k) security in general and over the last 12 to 18 months in particular.

In fact, some recordkeepers are including language in their contracts that demands the use of multi-factor authentication by all involved parties before they will allow single sign-on between their own website and the plan sponsor’s employee benefits website(s).

And while recordkeepers are often willing to guarantee system security and reimburse lost funds due to fraud, plan sponsors should expect that such guarantees will increasingly be contingent on their willingness to implement MFA and other recommended security measures.

Reprinted with permission from BenefitsPRO. © 2019 ALM Media Properties, LLC. Further duplication without permission is prohibited.  All rights reserved.