How Crédit Agricole Consumer Finance secures and streamlines access to its sensitive services with a SaaS multi-factor authentication solution
Feedback from Crédit Agricole Consumer Finance on their project to secure and simplify access to their sensitive services for 50,000 partners with a MFA solution that complies with the GDPR and the recommendations of the European Banking Authority (EBA). Security and user experience requirements achieved for the company thanks to the implementation of a SaaS based multi-factor authentication solution (MFA).
- Easy and fast implementation of a MFA PSD2 compliant
- MFA solution covering all use cases
- Simplified access for over 50 000 partners
- White label implementation to allow branding of the solution
CRÉDIT AGRICOLE CONSUMER FINANCE
The Crédit Agricole Group's specialist consumer credit subsidiary
Sofinco, alongside major retailers
Crédit Agricole Consumer Finance, historically known in France as Sofinco, distributes a wide range of personal loans and related services in several countries through all distribution channels: direct sales, point-of-sale financing (automobile and home furnishings) and banking partnerships.
Alongside major retailers over the 19 countries where it is present, notably through FCA Bank, CA Consumer Finance offers its partners flexible and responsible solutions adapted to their needs, but also to those of their customers.
Virginie Nentoussi
Security Project Manager, Crédit Agricole Consumer Finance
Marine Clarisse
Security Architect, Crédit Agricole Consumer Finance
Virginie NENTOUSSI and Marine CLARISSE tell us all about their experience with TrustBuilder as part of the project to secure access to sensitive services for 50,000 Crédit Agricole Consumer Finance partners.
Smart Connect, a connection portal for partners
Crédit Agricole Consumer Finance offers a range of powerful and innovative solutions to boost their partners’ business. Some of these digital solutions are accessible via the Smart Connect portal.
Smart Connect was launched in 2020 to address the ongoing challenges of security and authorization. This solution allows partners and contributors to manage their own access and authorization on our sales front-ends at their own convenience.
Thanks to this service, contributors can save time in managing their vendors, while eliminating irritants and security issues, such as insecure password transmission, the creation of generic accounts when changing passwords, or delays in creating accounts. All of these operations are carried out through the various forms of this portal, which is the only point of entry for partner requests.
This portal can be accessed by everyone from a browser, whether on a tablet, a mobile or a workstation, which makes it easier for all contributors to use. In fact, regardless of the partner’s mode of operation, all they need is access to a browser to carry out their management actions.
9 500
employees
2 billion
banking products at the end of 2021
15 million
customers
19 countries
international presence
Project: Meet both security challenges and increased regulatory requirements, without compromising the UX
Protect a unique access portal
“Phishing and brute force attacks are increasing and the banking sector is a target of choice for attackers.” underlines Marine Clarisse. “We need to reassure and provide effective solutions against these attacks.”
Limit account sharing and simplify the login experience
The sharing of credentials is a serious threat to IT security. And yet, it is frequently done between colleagues in the same workplace who need to access the same applications. Therefore, it is essential to limit this sharing of access between users, which compromises the security of the information system. And this can be carried out by using a MFA solution. It is a more complex and individualized authentication that makes users aware that they are twisting a security system when sharing a password might have seemed harmless to them.
By implementing MFA, CA CF intends to make the access to their connection portal nominative in order to limit the access to their different services / solutions to authorized persons only.
What the Group was looking for ...
- Meet the challenges of European PSD2 regulation
- Cover the risk of phishing and brute force attacks
- Adapt to the digital environment and use cases
- Facilitate connection to a single access portal
Implementing a MFA solution can address a number of issues [...] and in particular provides 99% protection against phishing and brute force attacks
"When we started out, we had multiple vendors sharing the same account. It was indeed convenient for them. Today, with Smart Connect and the implementation of MFA, we want to eliminate this account sharing and make vendors take responsibility for their actions while making it easier to access our environment"
RGPD and PSD2 Compliance
By providing and distributing financial services, which involves collecting very sensitive personal data, CA CF is required to comply with both the PSD2 and the RGPD. In fact, the consequence of the DSP2 directive is to set new rules and make multi-factor authentication mandatory for access to bank accounts and the management of sensitive operations.
Focus on security and UX for CA CF's MFA project with inWebo
“When choosing the solution, we were looking to streamline the user experience”, underlines Marine CLARISSE, who adds that“TrustBuilder is a user-friendly solution that is very easy to use and to get use to it“.
A majority of their user population is in-store and they need to be able to access the Smart Connect portal in front of their customers quickly and easily. The aim is to meet current needs while adapting to changing use cases patterns. ” It’s an innovative solution that covers all our use cases in a homogeneous way and simplifies the access journey. Marine CLARISSE
TrustBuilder.io MFA is a Passwordless solution that allows to get rid of UX ans security constraints linked to passwords. CA CF draws particular attention to the technology developed which enables users to authenticate themselves using the browser token (Deviceless MFA). This is an exclusive feature on the MFA market.
Certified by ANSSI and recognised as PSEE
Patented technology certified by French CyberSec Agency, based on dynamic random keys, combined with HSM. TrustBuilder is also an outsourced service provider (PSEE)
User friendly MFA
User-friendly and passwordless solution (PIN code) for easy and fluid access to the portal
Browser token
Technology that allows users to use their browser as a trusted device (token) - in addition to mobile, desktop and tablet tokens
PSD2 Compliance
Addressing compliance and UX issues related to the Directive PSD2
White label development
SDK and API allowing "white label" development to personalize and unify the login experience
Individual support
CA CF emphasises the "personalised support provided by inWebo's teams during the implementation of the solution".
Results: Simplified and secure login portal
Protect a unique access portal
The implementation of TrustBuilders MFA has enabled Crédit Agricole Consumer Finance to streamline the login experience of its partners to their tools and sensitive data. Whether in store, in the office or on the move, they have faster and easier access to their applications. “With TrustBuilder, the user only needs to enter his PIN code, instead of the 12-character password that has to be changed every 90 days. ” says Virginie NENTOUSSI
"The browser token has the advantage of not requiring any installation and makes it possible to control the level of security provided to an external user independently of the device used"
Users are also more autonomous in managing their account. They can manage their equipment (tokens) and enrol a new browser, tablet or smartphone themselves, either by displaying an enrolment code to enter or by receiving a link by email.
Going further
"With inWebo's multi-factor authentication, we intend to facilitate and modernise access to our services, both for our customers and our partners"
