The authentication component within the system has been designed to manage the risks associated with internet access. This component has been subjected to tests by an external company specialising in hacking both on the internet and the intranet.
The password is validated for complexity with a history of 12 passwords to ensure continued complexity. The password can be set to expire monthly and facilitates lockout attempts. The user can reset the password by answering questions and if successful, a new password is generated and e-mailed to the user who has one hour in which to use the temporary password.
If there is inactivity on the web pages, the system provides a timeout either at 15 minutes or 1 hour, depending on a site setting. Significant additional security measures have been built into the system to guard against hacking tools that are available within the market.
Users can choose a username or ID code and password. If automatic user registration is permitted by the fund, the user is provided with a unique number and upon registration, the user is automatically approved. If automatic registration is not permitted by the fund then a list of pending registrations is provided on the system and an administration user authorises access for the new user. Once access is authorised the new user is informed via e-mail.
The registration process requests a minimum of three questions and answers and fund-specific information. This information is used to allow automatic resetting if the user forgets the password.
Note:
The configuration of the installation of the system will determine the number of questions that are compulsory.
The system provides for two types of password access:
- access via a single password, which expires periodically and must be changed on expiry
- access via two passwords, which never expire
The configuration of the installation of the system will determine which of the above methods is required for access.
For information on the registration of Vodacom users refer to
Client Specific
ACA
Vodacom
Web Site Access
The automatic registration process is enabled if the automatic user registration type is selected on the fund. Refer to
Product Launch Requirements
Product Update
The administrator will dispatch a unique client code to the user in a sealed envelope by post. When the user registers on the member web, the provision of a client code will be mandatory. Once all the validations are performed at registration, the user will automatically be registered.
The user registration process is as follows:
- user registers on the web site
- administrator confirms the registration
- confirmed user logs onto the web site
- new user / superuser updates the password
- user updates security answers