This IT-Notice contains a technical overview and implementation process of a Two Factor Authentication solution (2FA) for CMS Web. This will impact all Nasdaq Nordic and Nasdaq Commodities members using Nasdaq CMS web tool for collateral management. Information in this IT-Notice is directed to IT staff, administrators of the CMS Web application as well as the end users.
Introduction
As previously communicated, Nasdaq will implement a 2FA solution in order to streamline the login procedure to all our web-based applications. First Nasdaq application to adapt the 2FA is the CMS Web application for Genium INET. Other web-based platforms will follow.
The 2FA solution to be implemented is provided by SafeNet and can be used on smartphones, tablets and/or computers. Once 2FA implementation is completed, users will be authenticated with username, password and a one-time passcode generated by the SafeNet MobilePASS app.
Timeline
The enrollment period of 2FA for CMS Web will open on October 6th with an expected completion by early December 2016. When the enrollment period starts, users will be requested to enroll as part of the standard login procedure to CMS Web.
Users will have a maximum of three login attempts available using the old authentication method (username & password only) before the enrollment to 2FA is mandated.
Enrollment of 2FA for CMS Web
Preparatory steps
The 2FA enrollment process for CMS Web users will start on October 6th. The following preparatory steps are recommended before the enrollment period starts:
- Identify the CMS Web Administrator(s) within your company
- Identify the CMS Web users within your company
- Inform all CMS Web users of the upcoming change and the enrollment process
-
CMS Web Administrator needs to ensure that all user accounts are individual. All potentially shared accounts need to be changed or removed. With the new 2FA Single Sign-On solution, the use of shared email address will be strongly discouraged
NOTE: Only use e-mail addresses that are being owned by you as a member, do not use shared or generic email addresses such as username@gmail.com or user.name@hotmail.com -
Decide which device(s) should be used for each CMS Web user, and prepare these for token installation (use of smartphones is the recommended option)
- Smartphones/Tablets – Download the app SafeNet MobilePASS from Apple App Store, Blackberry AppWorld or the Android Play Store
- Desktop computers – Download the applicable SafeNet MobilePASS from
-
When the enrollment period starts, all users will be prompted with "Important information!" when attempting to login to CMS Web (Collateral Management Web) using User name and Password. Choose "Register Now" in order to proceed with 2FA enrollment
NOTE: If you don't want to enroll at this time, choose "Continue to CMS Web" instead. This option can be chosen maximum of three times, after that the enrollment to 2FA is mandated - In the "2FA Registration" window, choose "Set up new 2FA account"
- In the "2FA Registration - Credentials 1(2)" window, verify the pre-filled information and correct if needed, then "Proceed to account initialization"
- In the "2FA Registration - Credentials 2(2)" window, choose "Continue account initialization"
- As stated in the "2FA Registration - Initialization" window, an e-mail has been sent to the e-mail address specified in step 3 above. Click on the link provided in this e-mail
- In the "2FA Registration - Password 1(2)" window, create a new password for your 2FA account, then "Proceed with account initialization"
- In the "2FA Registration - Password 2(2)" window, re-enter the password, then "Complete account initialization"
-
As stated in the "2FA Registration - Completion" window, an e-mail has been sent to the e-mail address specified in step 3 above. Click on the URL link specified in this e-mail on the device where the token should be enrolled
-
If not previously done, the MobilePASS app should be installed at this point. Click “Download MobilePASS Installer (.msi)”
NOTE: Administrator rights are required. Ask your IT department for assistance, if needed - Once the MobilePASS app has been installed, choose “Enroll your MobilePASS token”
-
MobilePASS token enrollment:
- If you are prompted to choose a method for enrolling the token, choose the “Auto Enrollment” option
- In the “Create New Token” view, set a token name, eg. “Nasdaq Token”
- In the “Set a Token PIN” view, set a new PIN code for your token (6 digits)
- Re-enter the Token PIN
-
The first generated Passcode appears now in the window. This can be use directly to log in to CMS Web (and in the future to other Nasdaq web applications as well)
NOTE: A passcode is only valid in 60 seconds, thereafter a new one will be generated - An e-mail stating that the 2FA registration has been completed will be sent to you. This e-mail contains a link to be used in order to login to 2FA and by so reaching CMS Web from now on
https://safenet.gemalto.com/support-downloads/mobilepass-download-page/
NOTE: The initial app installation requires local administrative privileges. However, after the installation has been completed, the usage of the MobilePASS software does not require administrative privileges
2FA Enrollment process
Below is a short step-by-step guide to 2FA enrollment for CMS Web users.
After the token enrollment has been completed, CMS Web will be accessed via "Two-Factor Authentication" window, by providing your CMS Web User Name, 2FA-Password set during the enrollment process, and your Passcode generated by your SafeNet MobilePASS app.
NOTE: Old CMS Web passwords should not be used after the enrollment of 2FA has been completed
New website
A new website has been launched for providing continuous updates regarding the 2FA project: http://www.nasdaqomx.com/transactions/technicalinformation/2fa
Support
For questions or concerns regarding the token enrollment, please contact Technical Support:
technicalsupport@nasdaq.com +46 8 405 6280
For CMS user or password questions, please contact Member Services:
ms.gi@nasdaq.com +46 8 405 6660
For questions regarding this IT Notice, please contact:
technicalrelations@nasdaq.com
Best regards,
Technical Relations
technicalrelations@nasdaq.com