Multi-Factor Identification Announcement: Informational Resources from LT Trust

Table of Contents

  • Video Tutorials

    • First-Time User Video Tutorial

    • Only Email on File Video Tutorial

    • Existing User Video Tutorial

  • Functions that Require OTP

  • FAQ

First-Time User Video Tutorial

 

Only Email on File Video Tutorial

 

Existing User Video Tutorial

Functions that Require OTP

  • MFA Logging in:

    • OTP authentication will be required if the participant is in any OTP-enabled plan.  When the participant first logs in, if there are multiple phones and/or email addresses on file, they will be prompted to select which device will receive the OTP.  The participant will only have this option on the first login.  After this initial selection, the OTP will be automatically sent to that device. If the participant selects to receive the OTP to a phone number, the user will be prompted to identify if the OTP should be transmitted by SMS text.  Once this selection is made, it will automatically be used in subsequent log ins.

  • Beneficiary Changes:

    • If the participant logs in from a recognized device, “One Time Pin” or also known as “OTP” authentication will not be required during login.  However, if the participant then tries to change beneficiary information, they will be routed through the OTP procedure when they submit the change.  Changes will only be made when the OTP authentication process is successful. Once OTP occurs in the session, it will not be required again for beneficiary changes.

  • Password Changes:

    • If the participant logs in from a recognized device, OTP authentication will not be required during login.  However, if the participant then tries to change password information, they will be routed through the OTP procedure when they submit the change.  Changes will only be made when the OTP authentication process is successful. Once OTP occurs in the session, it will not be required again for password changes.

  • Enrollment by Plan Password:

    • If new participants are permitted to set themselves up in the system for the first time through web enrollment using a plan password, OTP authentication will not be possible as the participant initially has no phone numbers or email addresses on file that can be utilized.  In this case, OTP authentication will be bypassed during the initial enrollment process.  Once enrollment is complete and the personal information changes resulting from that process are submitted, OTP authentication will be triggered upon the next login.

  • Loans, Distributions, and Withdrawals:

    • All forms of disbursements from the plan, such as loans, distributions, and withdrawals, will trigger OTP authentication when the transaction is submitted.

  • Email Change by Other Transactions:

    • Many transactions, such as transfers and contribution rate changes, which do not change personal information or involve withdrawal of assets from the plan, do not trigger OTP authentication.  The exception to this rule is when the participant changes an email address during the transaction request and where OTP has not already occurred in the current session.  For example, if the participant bypasses OTP during login by logging in from a recognized device and then proceeds to change their contribution rate, OTP will be triggered if the participant changes their email address for confirmations.  This is because the contribution transaction includes a personal information change and personal information changes are only permitted following a successful OTP authentication process. Note that the ability to change email addresses for transaction confirmations during a transaction request is an existing web option which can be turned on or off with web setup.

  • Single Sign-On Considerations:

    • Login by single sign-on will bypass the Relius Administration OTP authentication process during login.  However, transaction requests such as personal information changes, beneficiary changes, password changes, and all disbursement requests may only be made following successful OTP authentication, consistent with post-login requirements that apply to participants that login normally.

 

FAQ

  • Q:  When a participant is presented with the options to receive a code, is he/she presented with all phone numbers and email addresses on file and given the choice of which to use for the text/email?

    • A:  Yes, phone numbers and email addresses on file are available to be selected.  No new phone numbers or email addresses may be added.  Note that if the site level web option to disallow OTPs to be sent to email addresses has been turned on, then only phone numbers will be available for selection.  Additionally, since voice delivery is not available, phone numbers marked as not able to receive text messages will be excluded from available selections.

  • Q:  What happens on the participant login if there is no email address or phone number on file at all?

    • A:  As a condition of login, a device must be able to be associated with the account to receive an OTP.  Users with no email or phone numbers capable of receiving OTPs will see a message directing them to contact their plan administrator to set up missing information.

  • Q:  What happens if the phone number on file is not text-enabled (i.e. work number or landline) and/or the email address on file is no longer accessible (i.e. email address at former employer)? Basically, I want to understand what happens if we have contact info data for someone but none of it can be used for OTP authentication.

    • A:  If the OTP default was set to a device which is no longer available (e.g., an old phone number) but has not been changed in Relius, the user’s OTP device will need to be reset before they’ll be able to log in.  The participant will need to contact us for the credentials to be reset.

  • Q:  Will the participant be prompted for the OTP at each login, or only when logging in for the first time from an unknown device?

    • A:  If the user selects to “remember this device” when logging in, they will not be prompted for OTP during login from that same device for logins within the next specified number of days (number of days is configurable in Web Options).

  • Q: Will an OTP code be required when requesting a distribution. Would the code be entered upon login and then a new code needs to be entered when submitting the request? Does this also apply to loans or any other transactions?

    • A:  All disbursements (loans, distributions, withdrawals) made by the participant will require OTP when the participant clicks the submit button for the request.  This is true even if the participant already entered an OTP during login.  Other sensitive activities include personal information changes (including password and userId) and beneficiary changes.  These non-disbursement type sensitive activities will require OTP if the participant bypassed OTP during login (e.g., because of use of a recognized device).

  • Q:  Can OTP authentication be enabled at the plan level?

    • A:  Yes, OTP authentication for participant and sponsor web is enabled at the plan level using a VRU/Web setup item.  A “Copy” function is available for this setting so that it can be quickly copied to all plans or a plan group.

  • Q: Is there any functionality that would allow for a pop-up notice to remind people to add personal info when they log in if it is missing?

    • A:  There is an option to identify phone numbers and emails as required.  With this feature, the participant will be directed to the personal information screen to update missing data upon login.

  • Q:  What happens when an email address that was previously verified by the participant is later changed in Census or through a Census DER import?

    • A:  An email address that is changed outside of the Participant Web will be reset so that it no longer displays as verified.

  • Q:  What happens when an email address or phone number that was selected as the default OTP device is changed outside of the participant web, such as through Census?

    • A:  The change of an email address or phone number that was previously an OTP default device will result in the OTP default being reset.  The next time the participant logs in, they will need to select from known devices to receive the OTP.  This selection will become the new default OTP device.

  •  Q:  If the participant only has one email address and no phone number, will they still be prompted to select a device on login?

    •  A:  If there is only one possible method of sending an OTP, such as a single email address, that device will become the default OTP device and the OTP will automatically be sent to that device.

  • Q:  How does OTP authentication work with single sign on (SSO)?

    • A:  OTP will be bypassed during login if login occurs with SSO.  However, sensitive changes such as personal information, beneficiary changes, distribution, or loan requests, etc. will still trigger OTP.

  • Q:  Why is there a timer on the OTP entry form?

    • A:  In some cases, it may take up to a minute to receive an OTP.  The timer prevents the request of another OTP until sufficient time has elapsed to ensure the user would have received the first OTP.  This is important because the first OTP will no longer be valid after the second OTP is sent.

  • Q:  For how long is the OTP valid?

    • A:  The OTP is only valid for 5 minutes.  If the user does not enter the OTP within that time frame, they will need to request a new OTP.

  • Q:  How does OTP work with international phone numbers?

    • A:  International phone numbers are supported and can be set up through our user interface.