Extra layers of security at Veryfi

June 4, 2018
5 mins read
Extra layers of security at Veryfi

    At Veryfi, your data-privacy and security are our No. 1 concerns. We protect your data using state-of-the-art-software and hardware that is unmatched in the industry. All of this is protected by default on your account. This means you don’t have to do anything else unless you want to lock down your account even further.

    On a recent episode of The Cloud Accounting podcast, David Leary (Small Business Ecosystem Evangelist, Intuit) and Blake T Oliver (Cloud Accounting Evangelist, FloQast) shared the importance of Multifactor Authentication to secure business financial data. At Veryfi data-privacy is at the core of all products we develop. Please take the time to explore the multitude of options available for you as a customer of Veryfi to protect your sensitive information.

    MFA – 2-step verification

    Most people only have one layer of account protection: their password. We believe you should have 2.

    With 2-Step Verification, if a bad actor hacks through your password layer, they still need your phone or Security Key to get into your account. This is why a 2-Step approach is a sound option.

    Furthermore, if your password is ever exposed by another provider (hacks, social engineering, et al.), bad actors will not be able to access your Veryfi data using just the password they obtained because they will need to pass this second layer of authentication.

    How to enable MFA:
    1. Go to https://hub.veryfi.com/me/
    2. Click on the yellow “Security” tab
    3. Flick the Enable switch for MFA and follow the steps to set it up.

    Once enabled, MFA will be enforced across ALL of your Veryfi web and mobile services.

    Biometric authentication

    Veryfi was first conceived on a mobile phone, and we are a mobile-first company. That’s why we continue to invest time and resources into making our apps run efficiently on both iOS (iPhone) and Android devices.

    On each platform, Veryfi allows you to enable Touch ID (as long as yourdevice has this great biometric authentication option).
    Fingerprint identity sensors make it easy for you to get into your iOS or Android mobile device, but impossible for someone else because they don’t have your fingerprint.

    iPhones (except the X model) have it on the front embedded into the home button for your thumb; Android devices place it on the back for your index finger. iPhone X uses your face for biometric authentication, which is also supported by Veryfi.

    We strongly encourage you to enable Touch ID (or Face ID) inside your Veryfi mobile app just in case someone picks up your phone and gets browsing happy through your history of purchases.

    How to enable biometric authentication:
    1. Go to https://hub.veryfi.com/me/
    2. Click on the yellow “Security” tab
    3. Flick the Enable switch for Biometric authentication and follow the steps to set it up.

    Once enabled, biometric authentication will be enforced across ALL your Veryfi web and mobile services.

    Keychain

    Veryfi’s iOS apps use Keychain to store & share passwords securely between the Veryfi apps to allow single signon and simplify switching between the Veryfi apps.

    Keychain is Apple’s password manager built into every Mac, iPhone, and iPad. It makes it much easier for you to create safe and complex passwords without having to use a third party.

    This also means passwords you store on your Mac are accessible on your mobile Apple devices and vice-versa. It’s not only safe but also very convenient. Learn more about Keychain.

    Password policies

    We went the extra mile to ensure your passwords are as safe as they can be.

    • All passwords are cryptographically credential-specific, salt protected, and stored using PBKDF2.
    • We do not send passwords to users. We cannot see them. If you forget your password, you must reset it.
    • No one can see your password, even on the rare chance the data is exposed. Because it’s encrypted one way, that means no one — including us — can decrypt it.
    • We enforce password complexity so it’s at least 8 characters with 1 uppercase letter, 1 number, and 1 symbol. (This is also a HIPAA standard if you are in the U.S.).
    • We keep track of all failed login attempts by IP address, username, and useragent, and we lock out a user after consecutive failed login attempts for 15 minutes.
    • We have a proprietary secure user rank algorithm to flush out bad actors. If you are a good actor and are locked out, please contact our support team.
    • Passwords alone are not safe. Read our guide on why activating MFA (above) should be a default policy to ensure the highest level of security for all your financial data.

    Data at rest & in transit

    Data “at rest” refers to how we store your data, and “in transit” means that when you engage with Veryfi your data are moved between you and the Veryfi services.

    • All communication is over HTTPS using TLS 1.2 – same stuff the banks use.
    • Our data center is AWS (Amazon Web Services), which complies with all industry standards like PCI DSS L1, FIPS 140-2, HIPAA, IRAP to ITAR.
    • Data at Rest is AES-256 encrypted and In Transit is secured by HTTPS TLS 1.2. This means your data is super-secure.
    • We perform a PenTest every Quarter (3 months).

    If you’d like to know more about how seriously we take your privacy, read our Privacy section. You’ll see that we DO NOT use any offshore data extraction teams like our competitors. Our data extraction team is synthetic — i.e., machines that work 24/7 and scale on demand automatically. This means you can safely store your medical records with Veryfi and any PII deemed (HIPAA, GDPR & CCPA) compliant.

    We’ve got you covered so you don’t have to stress over security or data privacy.

    As always, feel free to reach out to us and even chat with our Chief Security Officer on cso@veryfi.com