We use cookies to try and give you a better experience in Freshdesk.
You can learn more about what kind of cookies we use, why, and how from our Privacy policy. If you hate cookies, or are just on a diet, you can disable them altogether too. Just note that the Freshdesk service is pretty big on some cookies (we love the choco-chip ones), and some portions of Freshdesk may not work properly if you disable cookies.
We’ll also assume you agree to the way we use cookies and are ok with it as described in our Privacy policy, unless you choose to disable them altogether through your browser.
Beta 3/7, Prod 4/4
Which customers are impacted?:
Once this is released, all consumer users will be prompted to enroll in MFA. In the case that a lender has MFA enabled for their consumer SSO users (enforced by the lender's identity provider), Blend can disable MFA, but only for their consumer SSO users. Note that this means all email+password consumer users will be prompted to enroll in MFA, although they will have the ability to decline enrollment by default. This release does not impact lender/LO users.
How to turn on:
This feature will automatically be turned on for all customers on the dates listed above.
Purpose of Update and Benefit:
On March 7, 2023, Blend will roll out multi-factor authentication (MFA) to all consumer users (a.k.a. borrower users, as opposed to lender or LO users) in all beta environments. MFA improves the security posture for all users accessing Blend, going beyond just an email address and a password. Additionally, this change puts Blend in place to comply with updates to the FTC’s Safeguards Rule that go into effect later this year. MFA will roll out to all production environments four weeks after the beta rollout, on April 4, 2023.
Current Behavior:
Before this release, Blend only offered MFA for lender/LO users.
New Behavior:
With this change, all consumer users will be prompted for a phone number after successfully authenticating with their email address and password. Each user will have the option to receive either a text message or a phone call containing a six-digit code. Blend will then prompt the user for that six-digit code in order to verify ownership of the phone number. The next time they log in to Blend, users will again be prompted for the six digit code sent via either SMS or phone call. Users will also have the ability for Blend to remember their device for 30 days. During this 30 day period, users will only be prompted for their email address and password when they log in using the same device+browser combination.
Consumer users will have the ability to decline MFA enrollment when they are first prompted for a phone number. Optionally, this ability to decline MFA enrollment can be disabled, effectively requiring MFA for all consumer users.
In the event that a user needs to change the phone number used for MFA, we have created a new section of the enterprise control panel, and associated permission, that allows an administrative user to reset a consumer user’s MFA device. This MFA reset feature will allow a consumer user to enter a new phone number the next time they successfully log in to Blend with their email address and password.
Action is required if you have consumer single sign-on (SSO) enabled in your production environment. By default, MFA will be enabled for all consumer users, including those who authenticate into Blend through SSO. In order to disable MFA for consumer SSO users, we require a statement from your information security officer attesting to the presence of MFA for consumer SSO users. Once we receive this attestation, we can disable MFA for consumer SSO users. (Note that this change will not affect non-SSO consumer users, who log in with an email address and password.) Please reach out to your account team for more information.
Also note that this specific change will not impact lender lender/LO users or lender/LO SSO connectivity.
Why is Blend requiring implementation of multi-factor authentication now?
In December of 2021, the FTC published an amendment to the Standards for Safeguarding Customer Information (the “Safeguards Rule”) that included a requirement to “Implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls” (16 CFR 314.4(c)(5)), which becomes effective on June 9, 2023. Blend Labs is a “financial institution” subject to oversight by the FTC as it relates to the Safeguards Rule and the data processed in Blend’s platform is “nonpublic personal information” (NPI) as defined under the Rule. As such, Blend is required to implement a multi-factor authentication system for all individuals who have access to NPI.
Can a lender opt out of multi-factor authentication (MFA) functionality?
In order to comply with its regulatory requirements, Blend may not permit lenders to opt out of MFA unless they can attest to having materially similar controls in place for SSO users.
0 Votes
0 Comments
Login or Sign up to post a comment