MFA USER FLOW

MFA Opt-in Screenshots

MFA Opt-in Flow for Users: Written Description

  1. When the user signs up or signs in, where the user attribute for MFA enrollment does not exist, the user is prompted to make a selection via a radio box.
  2. If the preferred MFA method is:
    • Phone: The SMS opt-in flow is activated. The user is prompted to enter their phone number. The opt-in statement is below the phone number field. The opt-in statement says By checking this box, I agree to receive authentication codes from EHO via SMS for account security purposes. Up to one text per login attempt. See EHO Terms of Service and Privacy Statement for details.” The user must click the checkbox next to the statement to opt-in.
    • Email: The email opt-in flow is activated. The user is prompted to enroll by entering their phone number. The opt-in statement is below the phone number field. The opt-in statement says “By checking this box, I agree to receive authentication codes from EHO via email for account security purposes. Up to one text per login attempt. See EHO Terms of Service and Privacy Statement  for details.” The user clicks the checkbox next to the statement to opt-in.
    • Both: If both options are selected by the user, both flows are activated and the user must explicitly opt-in for each method (email and phone). The opt-in messages are the same as those listed above.
  3. After opting-in, a message with a security code and opt-out instructions is sent to the user via their preferred MFA method(s).
      • SMS Message Example: EHO360: DON’T share. Use code 12345678 to complete sign in. Call us if you didn’t request this code. Reply STOP to quit. Terms at https://pbm.ehorx.com/terms-of-service/ 
      • Email Message Example:  “Use the following verification code to login: 12345678.  This code will expire in 30 minutes. If you did not request this code, call our support team immediately at (800) 650-1817. You received this message because you selected email as an MFA method with EHO360. Unsubscribe anytime.
  4. The user verifies the code sent to their preferred MFA method. *If the user replies to the message with ‘STOP’, they are opted out of SMS messages.
  5. After the user enters the security code, they are ‘verified.’
  6. Once the user is verified, the EHO Terms of Service displays (https://pbm.ehorx.com/terms-of-service/). The user is prompted to accept the terms.
  7. If Terms of Service are accepted, the user is granted access to the site.

MFA User Opt-in Flow for Users: Diagram