More Related Content Similar to Use-Cases / Wireframes (20) More from Jaime Brown (20) Use-Cases / Wireframes2. Copyright © 2016 Deloitte Development LLC. All rights reserved.
Contents
Focus Areas 3
Registration 4
Authentication 15
Self-Service 26
Help Desk 43
Session Management 49
| WAM Start-Up Program Use Cases2
3. Copyright © 2016 Deloitte Development LLC. All rights reserved.
Focus areas for the Requirements Confirmation
Process
Transform how Clients, Advisors, and Corporate Users access various AFI services
and applications
− Offer a competitive user experience
− Address increasing fraud risk and overall security requirements
− Provide risk-aware, authentication services that are highly available,
responsive, and interoperable
3
In Scope Out of Scope
• Prospects, Clients, Advisors, Corporate
• Sign on to internal and external apps
• Self registration and profile management
• Authentication management, including
password and preferred devices
• Security preference management,
including authentication requirements for
privileged operations and authorization
of surrogates
• Account Provisioning
• Entitlements management
| WAM Start-Up Program Use Cases
4. Registration
New Prospect Registration
UC1A: New User registers as Prospect 10
UC1B: Advisor initiates Prospect invitation 11
Client Registration
UC2A: Prospect converts to a Client 12
UC2B: New Client enrolls for a digital profile 13
UC2C: Existing Client registers for digital profile 14
UC2D: Existing Client social registration 15
UC2E: Advisor registers Client 16
UC30: Delegate registers 17
Sub-Use Cases
UC25: User registers OTP device 18
UC26: User registers using social media profile 19
Existing client de-registration
UC38: Client de-registers digital profile 20
UC39: Advisor de-registers own client’s account 21
5. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC1A: New User registers as Prospect
New user quickly obtains access to evaluate capabilities offered to Clients;
provide low risk access to showcase services and begin collecting consumer
profile information
Audience: New User
Preconditions: User may or may not have a
preferred social media account.
Activities
1. User triggers request to become a new
Prospect on web / mobile UI.
2. UI displays option to use social account or
input form for manual entry.
3. User selects a social media account and
completes social registration (UC26).
4. WAM generates a new Prospect,
establishes a session for the User, and
captures device fingerprint.
5. WAM redirects User with active session to
web / mobile UI with the session
information.
6. Application receives active session
information, including device ID, and
authorizes User as a Prospect.
1
WAM
Web / mobile UI
2
7
User Req #s: 002, 003, 004, 005, 006, 007, 010, 028,
031, 037, 039, 042, 049, 050, 062, 089, 107, 108, 280
4
4
6
redirection to
UI
3
UC26
2
| WAM Start-Up Program Use Cases5
6. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC1B: Advisor initiates Prospect invitation
New user quickly obtains access to evaluate capabilities offered to Clients;
provide low risk access to showcase services and begin collecting consumer
profile information
Audience: Prospect
Preconditions: An advisor initiates digital profile setup
for a new prospect
Activities
1. Advisor collects information, including preferred
email address, from new Prospect.
2. Advisor triggers invitation in application.
3. Application sends invitation email to Prospect
with personalized registration link.
4. New Prospect follows link to self registration
page.
5. UI displays prospect option to use social
account or input form for manual entry with
ID/password setup.
6. Prospect optionally selects a social media
account for social registration (UC26).
7. UI invokes WAM API to create new Prospect
account with associated social profile
information and invokes social login.
8. WAM API captures social login and device
fingerprint, and returns a session for New
Prospect.
9. Application receive profile information and
device ID and authorizes new Prospect.User Req #s: 002, 003, 004, 005, 006, 007, 010, 028, 031,
037, 042, 049, 050, 062, 089, 107, 108, 280
2
WAM
mobile / web UI
7
9
3
UC25
5
8
1
6
4 6
| WAM Start-Up Program Use Cases6
7. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC2A: Prospect converts to a Client
A Prospect quickly converts to a Client, leveraging existing profile information
as much as possible; vet and credential new Prospect to address fraud/risk
requirements before establishing Client access
Audience: Prospect
Preconditions: User is already registered as prospect.
Activities
1. User authenticates via browser or mobile app
and selects option to enroll as a Client.
2. UI prompts User to provide additional
verification, e.g .SSN, DOB, and to confirm
existing information in profile.
3. UI verifies information, via WAM solution,
against trusted third parties (credit bureaus,
Dept of Transportation, etc.)
4. WAM returns success or failure.
5. UI prompts User to personalize User ID and
optional pseudonym (for high profile Clients).
6. UI calls WAM to check for uniqueness /
complexity.
7. UI prompts user to establish a compliant
password, challenge question responses, and
preferred SMS device.
8. UI verifies password compliance against WAM
and triggers new device registration, providing a
generated four digit code.
9. User registers OTP device (UC25).
1
3
WAM
Web / mobile UI
trusted 3rd party
Information
verification
5
4
2
3
7
6 8
UC25
9
User Req #s: 001, 002, 003, 004, 007, 017, 020, 027,
028, 032, 046, 056, 089, 107, 108, 119, 280
| WAM Start-Up Program Use Cases7
8. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC2B: New Client registers digital profile
An Anonymous User utilizes social profile to quickly enroll as a new AFI client;
AFI completes necessary vetting of Anonymous User to address fraud and risk
concerns with a streamlined enrollment process
Audience: New User
Preconditions: User is not registered as prospect.
Activities
1. User accesses AFI through browser to request
enrollment as a New Client.
2. UI prompts for verification, e.g. SSN, DOB,
etc.to validate user.
3. User provides verification information.
4. UI invokes WAM to verify information against
trusted third parties (credit bureaus, Dept. of
Transportation, etc.)
5. WAM returns successful verification.
6. UI presents registration form with fields to enter
unique User ID, password, security questions
and answers
7. WAM checks for uniqueness / complexity of
User ID and password and establishes new
profile.
8. User registers OTP device (UC25).
9. WAM redirects User back to AFI UI with
authentication assertion.
10. User is authorized within AFI UI.
1
3
WAM
mobile / web UI
trusted 3rd party
Information
verification
2
810
7
35
4
UC26
UC25
9
6
4
| WAM Start-Up Program Use Cases8
User Req #s: 001, 002, 003, 004, 007, 017, 020, 027,
028, 032, 046, 049, 050, 056, 089, 107, 108, 119, 280
9. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC2C: Existing Client registers digital profile
A New User’s existing AFI application is utilized to quickly enroll as a new AFI
client; AFI application has already completed vetting; provide a streamlined
enrollment process and SSO to user’s account.
Audience: Client, Advisor
Preconditions: User has already been vetted by an application/
Advisor, e.g. has an account number.
Activities
1. Advisor provides account information to User.
2. Client accesses AFI UI through browser to request
enrollment as a New Client.
3. UI verifies new client with account number and last four
digits of social, etc.
4. UI submits the User’s account profile information to
WAM.
5. WAM establish an AFI digital profile for the Client based
on existing account information.
6. UI presents profile form, updated with information
collected from the existing account to verify.
7. UI prompts Client for User ID, password.
8. WAM checks for uniqueness / complexity / required
standard of User ID and password, and creates profile;
WAM captures device information.
9. UI obtains KBA from Client and updates digital profile
through WAM.
10. User registers OTP device (see UC25).
2
WAM
mobile / web UI
3
4 8
application
storage
5
6
9
UC25
10
7
8
1
| WAM Start-Up Program Use Cases9
User Req #s: 001, 002, 003, 004, 007, 017, 020, 027,
028, 032, 046, 056, 089, 107, 108, 119, 280
10. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC2D: Existing Client registers with social account
An existing client utilizes social profile to quickly enroll for digital services;
eliminate a new password by using social account;
Audience: Client
Preconditions: User has already been vetted by an
application, e.g. has an account number from
Advisor and a preferred social media account.
Activities
1. User accesses UI through browser to
request enrollment as a New Client.
2. UI verifies new client with account
information and last four digits of social, etc.
3. UI prompts User with request to create a
new profile, using manual fields or social
login.
4. User completes social registration (UC26).
5. UI prompts user for User ID, password.
6. WAM checks for uniqueness / complexity
compliance of User ID and password and
creates profile.
7. UI obtains challenge question answers from
User and updates digital profile through
WAM.
8. User registers OTP device (UC25).
1
WAM
mobile / web UI
2
3 6
3
UC25
8
5
7
UC26
4
7
Note: this UC is deferred pending sufficient mitigation of fraud
risk from weak social account controls.
| WAM Start-Up Program Use Cases10
User Req #s: 001, 002, 003, 004, 007, 017, 020, 027,
028, 032, 046, 056, 089, 107, 108, 119, 280
11. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC2E: Advisor sets up Client
Advisor quickly enrolls a new Client to access digital services; provide
Advisors with the ability to vet and quickly enroll Clients.
Audience: Advisor and Client
Activities
1. Advisor obtains Client PII, e.g. DOB, SSN, DL, etc. and
contact email.
2. Advisor authenticates (MFA) to UI* and triggers new
Client registration, providing Client PII.
3. UI triggers profile creation in WAM.
4. WAM returns with new digital profile information,
including temporary login ID.
5. WAM sends registration email to client’s preferred
contact email address.
6. Client receives email and clicks registration link, which
opens AFI UI through browser to new Client registration
interface.
7. UI fetches associated profile information based on
registration link.
8. Client enters verification information, e.g. last four digits
of social, etc.
9. UI verifies provided information against profile.
10. UI prompts Client to set User ID and new password, and
sends to WAM.
11. WAM checks for uniqueness / complexity compliance
and updates digital profile.
12. UI obtains challenge question answers from Client.
13. UI updates digital profile through WAM.
14. Client registers OTP device (see UC25).
2
WAM
mobile / web UI
3
4
6
7
UC25 5
8
User Req #s: 002, 005, 007, 279, 280
1
9
10
10
11
12
13
14
* Note: Advisor will not be challenged with MFA authentication if
an active session already exists.
| WAM Start-Up Program Use Cases11
12. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC30: Delegate registers
A delegate of a Client registers for a digital profile; AFI completes necessary
vetting of new delegate to address fraud and risk concerns with a streamlined
enrollment process
Audience: New User
Prerequisites: Client advises delegate to register for an account and
provides website info
Activities
1. Delegate accesses AFI through browser to request enrollment
as a New Client.
2. UI prompts for verification, e.g. OTP, SSN, DOB, etc.to validate
user.
3. Delegate provides verification information.
4. UI invokes WAM to verify OTP and additional information
against trusted third parties (credit bureaus, Dept. of
Transportation, etc.)
5. WAM returns successful verification.
6. Delegate registers via social media profile (see UC26) or
manual form input.
7. UI presents profile form, updated with information collected
from social account to verify, if applicable, and fields to enter
preferred email, unique User ID, password, KBA
8. WAM checks for uniqueness / complexity of User ID and
password and establishes new profile.
9. Delegate optionally registers trusted authentication device
(UC25).
10. WAM redirects User back to AFI UI with authentication
assertion.
11. AFI UI confirms that account setup is complete, and prompts
Delegate to follow up with Client to establish delegation.
1
3
WAM
mobile / web UI
trusted 3rd party
Information
verification
2
810
7
35
4
UC26
UC25
9
6
4
User Req #s: 002, 005, 037, 113, 114, 280
11
| WAM Start-Up Program Use Cases12
13. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC25: User registers OTP device
Client uses preferred device for step up authentication; mitigate MFA
friction with User preferred devices while maintaining fraud risk objectives
Audience: All
Preconditions: User is authenticated and has
requested enrollment of a new device for
authentication.
Activities
1. User reviews current registered devices.
2. User requests to add new device, and
provides email or phone number for SMS-
enabled mobile .
3. UI triggers new OTP device registration in
WAM.
4. WAM triggers OTP process through the
preferred mechanism ( email/ SMS).
5. UI prompts user for new OTP.
6. User receives email / SMS message with
OTP.
7. User enters OTP in UI.
8. UI sends OTP to WAM to confirm value.
9. WAM confirms OTP.
10. UI notifies User device enrollment is
complete.
1
WAM
Web / mobile UI
8
2
6
3
4OTP
5
9
7
User Req #s: 017, 051, 120, 280
10
| WAM Start-Up Program Use Cases13
14. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC26: User registers using social media profile
User experiences streamlined enrollment process and no new credentials to
remember; AFI captures social information of the prospect without burdening
the user with a new password.
Audience: Anonymous, Prospect
Preconditions: AFI UI displays option to
register using social account.
Activities
1. User selects register using a particular
social media account (Facebook, Twitter,
Gmail, etc.).
2. AFI UI redirects user to WAM social
registration page.
3. WAM solution redirects user to the
selected social media site for
authentication and consent collection
4. User authenticates and provides consent.
5. WAM solution captures social profile
information and establishes new AFI
profile for User.
6. WAM establishes a session with
appropriate confidence score and passes
session information back to AFI UI.
7. AFI UI authorizes User.
1
4
WAM
Web / mobile UI
5
3 5
social media
6
7
2
User Req #s: 037, 062, 075, 280
| WAM Start-Up Program Use Cases14
15. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC38: Client de-registers AFI profile
An AFI client de-registers digital profile to discontinue using AFI service; WAM
removes the user digital profile to meet privacy requirements and effectively
revokes access to enrolled applications
Audience: Client
Activities
1. Client triggers de-registration process in
application.
2. Application triggers step-up authentication
to confirm privileged action (see UC22A).
3. Application completes internal processing
to close out Client’s account(s).
4. Application invokes profile delete via
WAM API.
5. WAM API passes call to directory
services, invoking delete.
6. Directory confirms delete operation
completed.
7. WAM API operation result back to
Application.
8. Application sends email notification to
Client noting that profile has be
deregistered.
| WAM Start-Up Program Use Cases15
User Req #s: 005, 280, 282
Application UI
WAM API
1
3
8
2
4
Client directory
5
6
7
UC22A
16. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC39: Advisor de-registers Client
Advisor de-registers own client’s digital profile to discontinue AFI service to the
client; WAM removes the user digital profile to meet privacy requirements and
effectively revokes access to enrolled applications
Audience: Advisor
Preconditions: Advisor is authenticated to
application UI that provides Advisor the ability to
see and manage the Advisor’s Clients.
Activities
1. Advisor triggers de-registration workflow
for a particular Client profile.
2. Application invokes profile delete in WAM
API.
3. WAM API passes call to directory
services, invoking delete.
4. Directory confirms delete operation
completed.
5. WAM API operation result back to
Application.
6. Application UI provides confirmation to
Advisor.
7. Application sends email notification to
client noting that profile has be
deregistered.
| WAM Start-Up Program Use Cases16
User Req #s: 005, 280, 281
Application UI
WAM API
1
6
7
Client directory
3
4
2
5
17. Authentication
Authenticate
UC3: Domain user authenticates 23
UC4A: User authenticates (untrusted device) 24
UC4B: User authenticates (trusted device) 25
UC4C: User authenticates (biometric-enabled) 26
UC4D: User authenticates (mobile 1-touch) 27
UC4E: User authenticates using social login 28
UC4G: High risk user authenticates 29
Log Out
UC5: User logs out global session 30
Step Up
UC22A: User performs privileged action (step-up) 31
UC22B: User performs privileged action (verify) 32
18. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC3: Domain user authenticates
A Corporate User or Advisor participating on the domain has transparent sign
on to non-Kerberos WAM-enabled apps; reduced support effort by eliminating
one-off application passwords
Audience: Corporate User or Advisor
Preconditions: User has domain
credentials and can access a domain
member server / client.
Activities
1. User is logged in to Windows domain
desktop or through VPN using AD
credentials and accesses WAM-
protected web application.
2. WAM establishes SSO session with
confidence score*.
3. WAM enables SSO into non-
Kerberos application.
4. Depending on requested application
and confidence score, user may be
prompted for additional verification
(see UC22).
5. Application grants access to User.
WAM-enabled
application
WAM
2
1
5
4
*Note: Confidence score is calculated dynamically based on session
risk and various behavioral factors, e.g. credential risk, device type,
geolocation, IP velocity, time of day, black lists, sensitivity of
transaction, etc.
UC22B
2
3
User Req #s: 005, 064, 078, 104, 280
| WAM Start-Up Program Use Cases18
19. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC4A: User authenticates (untrusted device)
User with unknown desktop or mobile device is asked to provide a challenge
question and optionally register device; establish higher confidence score for
new device through additional knowledge based assessment questions
Audience: All
Precondition: User knows credential, but accesses AFI with a
new device
Activities
1. User authenticates successfully with unknown device to
web or mobile.
2. Proxy determines from WAM that this is a new device.
3. Proxy informs User this device is not recognized and
prompts for PIN / challenge question answer.
4. User successfully enters PIN / challenge question
answer.
5. WAM sends notification via User’s preferred device of
authentication with untrusted device.
6. Proxy prompts User to confirm whether device is public or
trusted
7. If User selects “trusted”, WAM captures and stores client
device fingerprint
8. Proxy redirects User to application.
Post Condition: Authentication attempts on known device may
require password only (depends on risk evaluation and whether
trust has expired or still in effective)
1
3
4
6
7
WAM
device
fingerprint
2
User Req #s: 005, 017, 020, 021, 034, 054, 056, 063,
064, 072, 073, 075, 078, 088, 092, 119, 280
SYS Req #s: 664
5
| WAM Start-Up Program Use Cases19
application
WAM Proxy
8
20. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC4B: User authenticates (trusted device)
User establishes SSO session using preferred authentication mechanism;
establish higher confidence score based on use of known “trusted” device
Audience: All
Precondition: User knows credential
and accesses AFI with device that is still
trusted
Activities
1. User authenticates successfully
with known device to web or
mobile.
2. WAM captures client device
fingerprint and confirms trust has
not expired.
3. WAM sends confidence score to
Proxy.
4. Proxy optionally requires additional
verification (see UC22).
5. Proxy redirects user to application.
WAM
4
1
2
device
fingerprint
3
UC22
User Req #s: 005, 017, 020, 021, 034, 054, 056, 063,
064, 072, 075, 078, 092, 119, 280
SYS Req #s: 664
| WAM Start-Up Program Use Cases20
application
WAM Proxy
5
1
21. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC4C: User authenticates (biometric-enabled)
User can use device unlock feature with biometric to access AFI mobile
applications; AFI uses biometric authentication features of a registered device
to establish user session
Audience: All
Precondition: User has registered a biometric
(fingerprint, voice/face recognition etc.) enabled
smart device. Application is enabled for
biometric authentication using device operating
system (iOS, Android, etc.).
Activities
1. User launches AFI mobile application.
2. Application prompts User to authenticate
with biometric sensor.
3. User uses the biometric sensor to
authenticate.
4. AFI mobile application receives
confirmation from the mobile OS.
5. WAM system captures the device ID and
fingerprint, creates a session for the user,
and provides device ID and session
information to application
6. User is granted application access via the
User’s application account.
1
6
4
2
1
3
mobile UI
User Req #s: 005, 021, 073, 078, 088
WAM
5
device
fingerprint
| WAM Start-Up Program Use Cases21
22. Self-Service
Profile Management
UC6: User Updates Profile 34
UC20: User assigns delegate 35
UC23: User sets security preferences 36
User ID/ Password Management
UC7: User Changes Password 37
UC8A: User Logon Recovery (OTP delivery) 38
UC8B: User Logon Recovery (OTP generated) 39
UC8A/B: User Logon Recovery (OTP wireframes) 40
UC8C: User Logon Recovery (KBA) 41
UC9A: User Unlocks Account (failed passwords) 42
UC9B: User Unlocks Account (high risk source) 43
UC10: User changes User ID 44
UC11: User Retrieves Forgotten User ID 45
UC28: Advisors Resets Client’s Password 46
UC29: Advisors Unlocks Client’s Account 47
23. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC6: User Updates Profile
User updates information in personal profile on AFI web or mobile UI; AFI
reduces Helpdesk calls by allowing users to update the profile information to
keep the data current
Audience: Clients
Precondition: User is logged in to AFI application
maintaining an active global /universal session.
Activities
1. User selects ‘Update Profile’ option on the
manage profile and preferences section on
web or mobile UI.
2. Based on confidence score, User may be
asked for additional verification (see UC22A); if
the confidence score is adequate for the
operation, move to the next step.
3. UI prompts User with the profile and
preference page in edit mode to perform
necessary updates.
4. User performs changes to profile and
preferences (e.g. email, image, challenge
question/answer, notification preferences etc.)
and submits the changes.
5. UI validates user inputs and pushes updates to
WAM.
6. UI displays update confirmation to User.
7. WAM sends email notification to User
informing User of changes.
AFI web UI
WAM
1
3
2
4
56
7
UC22
User Req #s: 005, 014, 017, 023, 027, 028, 030, 032,
033, 034, 035, 036, 046, 047, 049, 050, 051, 077, 280,
291
| WAM Start-Up Program Use Cases23
2
24. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC20: Client assigns delegate
User can delegate access to trusted delegate; enable client to manage
delegation (if supported by the application) without contacting the help desk
Audience: Client
Precondition: User is logged in to AFI application with an
active, privileged global / universal session (see UC22).
Delegate is registered.
Activities
1. User accesses security settings and requests
option to designate a delegate*.
2. Application prompts user for name, contact
number, contact email address of delegate, and
desired authorization.
3. User provides the requested information, including
name and email.
4. Application sends email to proposed delegate,
notifying recipient of request.
5. a. Recipient, who already have a AFI account,
authenticates to AFI application to review and
approve request.
b. A new user needs to create an AFI account
(see UC30).
6. AFI application optionally sends delegation
information to WAM**.
7. AFI application notifies user delegation has been
established.
AFI web UI
WAM
5a
1
3 2
4
6
7
* This UC is triggered and executed by the protected application. WAM
system is only responsible for authenticating the Client
** Delegation information may or may not be stored within the WAM
environment (directory), depending on usefulness to other applications,
user consent, and other factors of consideration to AFI enterprise data
governance.
| WAM Start-Up Program Use Cases24
User Req #s: 005, 015, 116, 117, 118, 280
3
UC30
25. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC23: User sets security preferences
Clients and Advisors can map risk appetite to security services; enable
each end user to choose balance between security and user experience
Audience: Client, Advisor
Precondition: User is logged in to AFI with an
active global / universal session.
Activities
1. User selects ‘Update Security Preferences’
option on the manage profile section on web
or mobile UI.
2. AFI UI checks confidence score and, if
necessary, steps up authentication (see
UC22A).
3. AFI UI presents security preference
management interface.
4. User sets security preferences, such as
conditions under which MFA is required, OTP
delivery mechanism (email/SMS), update
OTP device etc.
5. AFI UI propagates changes to WAM.
6. UI receives confirmation from WAM system.
7. UI displays confirmation message to the
user.
8. WAM sends email notification to User
informing User of profile change.
AFI web UI
WAM
2
1
4
5
6
3
7
| WAM Start-Up Program Use Cases25
User Req #s: 005, 018, 038, 048, 052, 053, 121, 122,
123, 280, 291
8
26. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC7: User Changes Password
User changes password; AFI can enforce password complexity and history
rules and enable users to update passwords without helpdesk intervention
Audience: Client, Advisor
Precondition: An existing user with an active
session requests to change the Password.
Activities
1. User selects “Change Password” on the
manage profile section on web or mobile
UI.
2. User is prompted to enter the existing
password followed by new password.
3. User successfully enters existing and new
passwords (new password needs to be
entered twice to avoid typing mistakes).
4. WAM checks for complexity of the new
password.
5. User is prompted with a successful
password change confirmation.
6. WAM system notifies user that his/her
password is changed.
User Req #s: 005, 008, 012, 014, 026, 034, 280, 293
AFI web UI
WAM
4
1
3
2
5
6
| WAM Start-Up Program Use Cases26
27. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC8A: User Logon Recovery (OTP delivery)
User is able to access accounts after verification through preferred
authentication device; minimize calls to Help Desk for password reset
Audience: Client, Advisor
Precondition: User has forgotten password, but
knows Login ID.
Activities
1. User selects “Forgot Password” on either
web or mobile UI.
2. Web / mobile UI provides guidance that
one-time password ( OTP) will be sent
and triggers OTP process through WAM
system.
3. WAM system delivers OTP via email or
mobile SMS.
4. User enters OTP value (numeric) in web /
mobile UI.
5. User is prompted to Change Password.
6. User enters new password (new
password needs to be entered twice to
avoid typing mistakes) and is routed to
Login page to authenticate.
7. WAM system notifies user that his/her
password is changed.User Req #s: 005, 014, 029, 043, 047, 280, 293
1
2
3
4
56
OTP value
WAM
preferred
email or SMS
2
AFI web UI
7
| WAM Start-Up Program Use Cases27
28. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC8B: User Logon Recovery (OTP soft token)
User is able to access accounts after verification through preferred
authentication device; minimize calls to Help Desk for password reset
Audience: Client, Advisor
Precondition: User has forgotten
password, but knows Login ID.
Activities
1. User selects “Forgot Password” on
either web UI.
2. Web UI prompts user for OTP.
3. User opens mobile application
displaying rotating OTP.
4. User enters OTP value (numeric) in
web UI.
5. Web UI confirms OTP against WAM.
6. User is prompted to Change
Password.
7. User enters new password (new
password needs to be entered twice
to avoid typing mistakes) and is
routed to Login page to authenticate.
1
2
3
4
6
WAM
AFI / third
party OTP
gen
5
AFI web UI
User Req #s: 005, 014, 029, 043, 047, 280, 293
7
| WAM Start-Up Program Use Cases28
29. Copyright © 2016 Deloitte Development LLC. All rights reserved.
Depicted below is a sample workflow of wireframes for authenticating out
of band and changing a forgotten password
UC8A/B: User Logon Recovery (OTP wireframes)
1 2
3
| WAM Start-Up Program Use Cases29
30. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC8C: User Logon Recovery (KBA)
User is able to access accounts after verification with knowledge-based
authentication; minimize calls to Help Desk for password reset
Audience: Client, Advisor
Precondition: User has forgotten password, but knows Login ID.
Activities
1. User selects “Forgot Password” on either web or mobile
UI.
2. AFI UI fetches challenge questions from WAM.
3. AFI UI prompts user for responses to questions.
4. User enters responses.
5. AFI UI verifies responses against WAM.
6. AFI UI prompts user for new password with complexity
rules.
7. User inputs new password (new password needs to be
entered twice to avoid typing mistakes) satisfying the
complexity rules.
8. AFI UI submits password update to WAM.
9. WAM System returns a validation error message or
updates User’s password and unlocks User account, if
locked.
10. WAM system sends a message to the user’s preferred
communication mechanism confirming that the password
is changed.
11. User is redirected to the login page.
1
2
34
5
6
OTP value
WAM
7
8
9
10
11
AFI web UI
User Req #s: 005, 014, 029, 043, 047, 280, 293
| WAM Start-Up Program Use Cases30
31. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC9A: User Unlocks Account (from failed passwords)
User can unlock account without calling the help desk; reduce help desk
volume from excessive failed password attempts
Audience: Client, Advisor
Precondition: User’s account is locked due to
unsuccessful login attempts and not coming from
high risk source (i.e. restricted IP address,
geographic location etc.). User is presented with a
message specifying that the account is locked, with
an option to unlock account.
Activities
1. User selects “Unlock Account” via browser UI
2. UI provides guidance that one-time password
(OTP) will be sent and triggers OTP process
through WAM system
3. WAM system delivers OTP via email or
mobile
4. User enters OTP value (numeric) in web /
mobile UI
5. UI validates the OTP with WAM system
6. If OTP is valid, account is unlocked, the user
is routed to change password UI.
7. User executes change password, and
password is updated in WAM.
8. User is authorized to application.
1
2
3
4
67
OTP value
WAM
preferred
email or SMS
2
5
web / mobile UI
User Req #s: 005, 014, 040, 280, 293
8
| WAM Start-Up Program Use Cases31
32. Help Desk
User Support
UC16: Help Desk agent views user profile 49
UC17: Help Desk resets user logon information 50
UC18: Help Desk views user session information 51
UC19: Help Desk agent registers new Prospect 52
UC 40: Help Desk agent de-registers client’s digital profile 53
33. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC16: Help Desk agent views user profile
Helpdesk agents will be able to view the profile details of the users (prospects/clients/internal
users) for troubleshooting; provide Help Desk agents with the tools and access necessary to
support Clients, Prospects, Advisors and Corporate Users
Audience: Help Desk agents
Precondition: Helpdesk agent is logged in to
administrative interface
Activities
1. Helpdesk agent selects search user
functionality by specifying the attribute to
search on (e.g.- name, email etc.).
Helpdesk agent will be able to specify
actual values of the attribute selected to
perform a wild card search
2. WAM system returns a list of matching
users to the UI
3. System presents a list of users matching
the search criteria
4. Helpdesk agent selects a particular user
from the list to view details
5. System allows the helpdesk agent to view
the user profile information (e.g. – Name,
email, phone, security questions,
registered devices, account status,
account type etc.) excluding password
and answers of security questions.
1
3
4
5
WAM Admin. UI
2
WAM
User Req #s: 005, 093, 095, 102, 104, 106, 111, 280
| WAM Start-Up Program Use Cases33
34. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC17: Help Desk resets user logon information
Helpdesk agents will be able to reset the users logon information (password/
security questions/ account lock); AFI will allow authorized Helpdesk agents to
reset user profile information after establishing user identity
Audience: Help Desk agents
Precondition: Helpdesk agent establishes user’s identity as defined in the
helpdesk manual. Help desk agent logs in to the administrative interface and
searches for the user’s record (UC16)
Activities
1. Helpdesk agent selects the user record and performs one of the
following options
a) Unlock account
b) Reset password
c) Reset security questions
d) Remove registered devices
2. If option ‘a’ is selected, system will unlock the selected users
account and move to step 6
3. If option ‘b’ is selected
a) WAM system will send a temporary password to the user through the
preferred communication mechanism
b) WAM system will force change password at the next login and move to step
6
4. If option ‘c’ is selected
a) WAM system will require the user to select new security questions and
answers at the next login
b) WAM system will allow the user to select new security questions and
answers at the next login
5. If option ‘d’ is selected, WAM system will allow the agent to remove
a particular registered device
6. WAM system will notify the user of the actions performed through
the preferred communication mechanism.
1
2
3a
6
WAM Admin. UI
WAM
b ca d
4b
4a 5
3b
User Req #s: 005, 095, 096, 098, 099, 100, 101, 102,
103, 105, 280
| WAM Start-Up Program Use Cases34
35. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC18: Help Desk views user session information
Helpdesk agents will be able to view the session details of the users
(prospects/clients/internal users) for troubleshooting; provide Help Desk agents with the tools
and access necessary to support Clients, Prospects, Advisors and Corporate Users
Audience: Help Desk agents
Precondition: User has reported issues in accessing
an AFI application
Helpdesk agent is logged in to administrative interface
Activities
1. Helpdesk agent selects search user functionality
by specifying the attribute to search on (e.g.-
name, email etc.). Helpdesk agent will be able to
specify actual values of the attribute selected to
perform a wild card search
2. WAM system returns a list of matching users to
the UI
3. System presents a list of users matching the
search criteria
4. Helpdesk agent selects a particular user from
the list to view session details
5. System allows the helpdesk agent to view the
user session information (e.g. – session ID,
browser name/ version, device details, session
length details, user location, connection provider
etc.)
1
5
3
4
WAM Admin UI
2
WAM
User Req #s: 005, 094, 104, 280
| WAM Start-Up Program Use Cases35
36. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC19: Help Desk agent registers new Prospect
Anonymous user calls helpdesk to obtain access to evaluate capabilities
offered by AFI; AFI Helpdesk provides low risk access to showcase services
and begins collecting consumer profile information
Audience: Help Desk agents
Preconditions: Unregistered user calls helpdesk to get access to
AFI application
Helpdesk agent is logged in to administrative interface
Activities
1. Helpdesk agent collects user information (name, email,
phone) from the prospect and fills the registration form
2. Helpdesk agent selects the option to register a new
prospect and fills the user details and submits the request
to trigger user profile creation in WAM system
3. WAM system creates a new user account and sends the
account activation email to the user’s registered email
4. User clicks on the activation link in the email
5. User is asked to select a password meeting the
complexity guidelines
6. User provides a suitable password (new password needs
to be entered twice to avoid typing mistakes), SSO
system captures device fingerprint
7. User’s account is activated, and the user is redirected to
the login page
1
4
WAM
application
3
2
5
6
User Req #s: 005, 097, 280
Helpdesk
Agent
Activation
email
2
7
| WAM Start-Up Program Use Cases36
37. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC40: Helpdesk agent de-registers Client
Help Desk agent will be able to de-register client’s digital profile to discontinue
AFI services to the client; WAM disables the user digital profile to restrict user
access to entitled applications.
Audience: Help Desk agents
Preconditions: Existing client calls helpdesk to
de-register digital profile. Helpdesk agent is
logged in to administrative interface.
Activities
1. Helpdesk searches for user in
Administrative UI.
2. WAM returns list of users matching the
search criteria for UI to presents the
Helpdesk agent.
3. Helpdesk agent triggers de-registration of
Client.
4. Admin UI triggers profile delete in WAM.
5. WAM API passes call to directory
services, invoking delete.
6. Directory confirms delete operation
completed.
7. WAM sends confirmation email to former
Client, informing Client that process was
completed successfully.
| WAM Start-Up Program Use Cases37
User Req #s: 005, 280, 281
Administrative UI
WAM API
4
1
3 2
7
Client directory
5
6
38. Session Management
Session management
UC12: User maintains session across applications (same browser) 55
UC13A: SSO from web browser to mobile browser 56
UC13B: SSO from mobile browser to web browser 57
UC14: User switches A+C to client profile (browser) 58
UC27: SSO across mobile applications 59
UC41: SSO for Thick Client Application 60
UC15A: Session expires (proxy-based) 61
UC15B: Session expires (API-based) 62
Federation
UC24A: External business partner accesses AFI application 63
UC24B: AFI User access business partner application 64
UC24C: Business Partner access AFI application 65
39. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC12: SSO across web applications (same browser)
User interacting with AFI via web or mobile experience does not have to authenticate again to
access another application; AFI establishes assurance that the user is valid through existing
user session and allows assess to the new application without additional login
Audience: Client, Advisor and Corporate
Precondition: User is logged in (has an
active session) to a AFI application
through web or mobile UI and either tries
to access another AFI application or gets
redirected to an AFI /federated application,
using the same interface.
Activities
1. User opens a new browser tab and
tries to access another AFI
application or gets redirected to
another AFI/ federated application
2. WAM system recognizes that the
user is already authenticated and
allows the user to access the second
application without presenting a login
prompt.
3. User is granted application access
using existing session.
AFI web UI
WAM
2
3
1
User Req #s: 005, 016, 060, 061, 065, 066, 067, 070,
074, 109, 280
System Req #s 271, 279
| WAM Start-Up Program Use Cases39
40. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC13A: SSO from web browser to mobile browser
User changing AFI access from web browser to mobile browser does not require
authentication while having an active session; AFI establishes assurance that the user is valid
through existing user session and allows access to the new device without additional login
Audience: Client, Advisor and Corporate
Precondition: User is logged in (has an
active session) to a AFI application
through web UI and tries to access
through mobile UI using trusted device.
Activities
1. User opens AFI application using
web UI.
2. WAM establishes a session for user.
3. User tries to access AFI application
using mobile UI.
4. WAM system recognizes that the
user is already authenticated and
allows the user to access AFI
application through new trusted
device
5. User is granted application access
using existing session.
AFI web UI
WAM
2
3
1
User Req #s: 005, 058, 059, 066, 067, 109, 280
System Req #s 271
4
3
| WAM Start-Up Program Use Cases40
Note: This scenario introduces security risk from loss of device or
possible spoofing.
41. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC13B: SSO from mobile browser to web browser
User changing AFI access from mobile browser to web browser does not require
authentication while having an active session; AFI establishes assurance that the user is valid
through existing user session and allows access to the new device without additional login
Audience: Client, Advisor and Corporate
Precondition: User is logged in (has an
active session) to a AFI application
through mobile UI and tries to access
through web browser using trusted device.
Activities
1. User opens AFI application using
mobile UI.
2. WAM establishes a session for user.
3. User tries to access AFI application
using web UI.
4. WAM system recognizes that the
user is already authenticated and
allows the user to access AFI
application through new trusted
device.
5. User is granted application access
using existing session.
AFI web UI
WAM
2
3
1
User Req #s: 005, 058, 059, 066, 067, 109, 280
System Req #s 271
4
3
| WAM Start-Up Program Use Cases41
Note: This scenario introduces security risk from loss of device or
possible spoofing.
42. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC14: User switches between A+C to client profile
(browser)
User must authenticate when changing role between A+C and client; prevent
user from accessing client apps with corporate login and corporate apps with
Client login, even if it is the same person.
Audience: Client, Advisor and Corporate
Precondition: A+C User has an active session with an
A+C application. A+C User accesses a browser-based
Client application.
Activities
1. User tries to access a Client application.
2. WAM proxy intercepts session token and
identifies an A+C session.
3. WAM redirects User to Login UI.
4. Login UI prompts User that new separate
session will be created for User to access Client
application.
5. User acknowledge and affirms desire to access
Client application with a new session.
6. Login UI prompts User for credentials.
7. User enters correct Client ID and password.
8. Login UI verifies credentials against WAM API.
9. WAM API returns session token for Client profile
to Login UI.
10. Login UI confirms token and passes User to
Client application with identity assertion*.
WAM
2
10
1
User Req #s: 005, 068, 280
Client Application
2
3
5
7
6
Login UI
4
7
6
8
9
| WAM Start-Up Program Use Cases42
Note: The Precondition and Activities depict an A+C User who has an active session with
an A+C application before attempting to access a Client application, but this use case also
applies to A+C User who has an active session with a Client application before attempting
to access an A+C application by interchanging A+C and Client in the descriptions.
*Note: User maintains two separate action sessions, for advisor and client applications.
43. Copyright © 2016 Deloitte Development LLC. All rights reserved.
UC27: SSO across mobile applications
User interacting with AFI mobile application experience does not have to authenticate again
to access another mobile application; AFI establishes assurance that the user is valid through
existing user session and allows assess to the new mobile application without additional login
Audience: Client, Advisor and Corporate
Precondition: User is logged in (has an
active session) to a AFI mobile application
and tries to access another AFI mobile
application. API SDK is deployed on
device. Apps are signed by a common
developer key.
Activities:
1. User opens another application that
is registered with the same
developer (enterprise) key and can
access the API SDK.
2. App accesses JWT (JSON web
token) stored in a shared keychain
group and verifies token against
WAM API (calls made through API
SDK).
3. User seamlessly accesses second
mobile application without another
sign on.
AFI Mobile Application
WAM API
2
3
1
| WAM Start-Up Program Use Cases43
User Req #s: 005, 013, 058, 059, 066, 067, 280
45. Copyright © 2016 Deloitte Development LLC. All rights reserved.
Index of Use Cases
New Prospect Registration
UC1A: New User registers as Prospect 10
UC1B: Advisor initiates Prospect invitation 11
Client Registration
UC2A: Prospect converts to a Client 12
UC2B: New Client enrolls for a digital profile 13
UC2C: Existing Client registers for digital profile 14
UC2D: Existing Client social registration 15
UC2E: Advisor sets up Client 16
UC30: Delegate registers 17
Sub-Use Cases
UC25: User registers OTP device 18
UC26: User registers using social media profile 19
Existing client de-registration
UC38: Client de-registers digital profile 20
UC39: Advisor de-registers own client’s account 21
Authenticate
UC3: Domain user authenticates 23
UC4A: User authenticates (untrusted device) 24
UC4B: User authenticates (trusted device) 25
UC4C: User authenticates (biometric-enabled) 26
UC4D: User authenticates (mobile 1-touch) 27
UC4E: User authenticates using social login 28
UC4G: High risk user authenticates 29
| WAM Start-Up Program Use Cases45
46. Copyright © 2016 Deloitte Development LLC. All rights reserved.
Index of Use Cases
Log Out
UC5: User logs out global session 30
Step Up
UC22A: User performs privileged action (step-up) 31
UC22B: User performs privileged action (verify) 32
Profile Management
UC6: User Updates Profile 34
UC20: User assigns delegate 35
UC23: User sets security preferences 36
User ID/ Password Management
UC7: User Changes Password 37
UC8A: User Logon Recovery (OTP delivery) 38
UC8B: User Logon Recovery (OTP generated) 39
UC8A/B: User Logon Recovery (OTP wireframes) 40
UC8C: User Logon Recovery (KBA) 41
UC9A: User Unlocks Account (unsuccessful attempts) 42
UC9B: User Unlocks Account (high risk source) 43
UC10: User changes User ID 44
UC11: User Retrieves Forgotten User ID 45
UC28: Advisors Resets Client’s Password 46
UC29: Advisors Unlocks Client’s Account 47
| WAM Start-Up Program Use Cases46
47. Copyright © 2016 Deloitte Development LLC. All rights reserved.
Index of Use Cases
User Support
UC16: Help Desk agent views user profile 49
UC17: Help Desk resets user logon information 50
UC18: Help Desk views user session information 51
UC19: Help Desk agent registers new Prospect 52
UC 40: Help Desk agent de-registers client’s digital profile 53
Session management
UC12: User maintains session across applications (same browser) 55
UC13A: SSO from web browser to mobile browser 56
UC13B: SSO from mobile browser to web browser 57
UC14: User switches A+C to client profile (browser) 58
UC27: SSO across mobile applications 59
UC41: SSO for Thick Client Application 60
UC15A: Session expires (proxy-based) 61
UC15B: Session expires (API-based) 62
UC24A: External business partner accesses AFI application 63
UC24B: AFI User access business partner application 64
UC24C: Business Partner access AFI application 65
| WAM Start-Up Program Use Cases47
49. Copyright © 2016 Deloitte Development LLC. All rights reserved.
Key Anti-Fraud Requirements
Req Area Requirements
1
Risk
evaluation
engine
Several requirements around configuring risk evaluation engine, policies,
thresholds, device identification, geolocation, black/white lists, detecting IP
anonymizers, determining high and medium risk, triggering multi-factor
authentication (MFA) for medium risk users, blocking the high risk users and
related items. Preventing access to risk engine by unauthorized personnel
2
Multi-Factor
Authenticatio
n
Requirements covering different MFA methods, such as KBA (Knowledge based
Authentication) questions and answers, OTP over email, OTP over SMS,
biometrics and so on
3
Step Up
Authenticatio
n
Requirements covering the step up authentication for specific high risk client
activities
4
Testing and
Simulation
Requirements covering the Anti-Fraud team testing for being able to test and
simulate the risk evaluation and MFA in a production-like environment without
affecting production data or performance
5
Monitoring
and alerting
Immediate alerting within 10 minutes of suspicious activity, ongoing monitoring
of transactions. Logging of any changes to configuration and policies
6 Reporting Several requirements to obtain near real-time reports for immediate action and
historical (12 months) reporting to detect trends in fraud activity
49
50. Copyright © 2016 Deloitte Development LLC. All rights reserved.
Key Availability and Performance Requirements
Req Area Requirements
1
Availability &
Performance
Planned outages vs unplanned outages
2
Availability &
Performance
Performance requirement
3
Availability &
Performance
Aggregators - volume and response time
4
Availability &
Performance
Deployments to avoid outages and fallback
5
Availability &
Performance Peak volumes during town halls (A&C) and Market demands (client)
50
51. Copyright © 2016 Deloitte Development LLC. All rights reserved.
Key Integration Requirements
Req Area Requirements
1 Integration SYS441 - Migration strategy to avoid impact to existing integrations
2 Integration Multiple environments for faster dev and QA effort
3 Integration Streamline process and effort for deployments and promotion of releases
4 Integration
Seamless migration of applications
51
53. Copyright © 2016 Deloitte Development LLC. All rights reserved.
Web Access Management is a set of capabilities for controlling access to
websites and applications for Client, Advisor and Corporate staff.
What is Web Access Management?
Major components include:
• Web access management and Single Sign On (SSO)
• Risk assessment/scoring and Multi-Factor authentication (MFA)
• Centralized directory services for user authentication (Directories)
• Self-service and user account provisioning (SSO Custom App )
• API (Application Programming Interface) management including mobile security
– (net new capability)
| WAM Start-Up Program Use Cases53
54. Copyright © 2016 Deloitte Development LLC. All rights reserved.
The optimal Identity and Access Management
solution is a balance between Security, Anti-Fraud
and User Experience, taking into effect our
competition’s offerings
54
Security
User
Experience
Anti-Fraud
Optimized Solution
| WAM Start-Up Program Use Cases
55. Copyright © 2016 Deloitte Development LLC. All rights reserved.
Documented and proposed design principles for the WAM platform.
WAM Design Principles
• Active-Active-Active (three data centers)
• Multiple hosting / IaaS vendors (IBM,
SoftLayer, Equinix)
• 90% of responses should be <2 secs
(platform only, excluding app delay)
• Eliminate / avoid customization
• Leverage out of the box features
• UX owned by applications / .com
• Coarse-grained authorization only
• 4-6 integration patterns, piloting 1-2 for each
99.999% availability API-based
• Seamless logon, navigation for domain users
• Multi-browser / multi-device support
• Provide multiple authentication methods,
including biometrics
• Risk-scoring and risk-based authn
• Maintain industry-leading, low online fraud
levels
• Enhance fraud detection and prevention
• Advisors must MFA to submit or access client
PII
• Enforce default deny-all for all protected
applications
Fast, frictionless UX Fraud protection
| WAM Start-Up Program Use Cases55
56. Copyright © 2016 Deloitte Development LLC. All rights reserved.
The WAM program will significantly uplift or replace every element of the
existing Web Access Management solution.
WAM Program Overview - Impact & Scope
• There will be scope differences between the Advisor & Corporate (A&C) and
Client instances of the solution.
• In addition, the application integrations will be aligned with a defined set of
integration patterns.
• The scope involves constructing a new WAM environment parallel to the existing
environment and a migration of applications from old to new
• The POA design will include local high-availability as well as site level resiliency
with support of active/active locations
• External client registration, stepped-up authentication, and self-service is in
scope.
• The advisor/corporate instance will use Active Directory for authentication; all
other LDAP directories would be transitioned to the selected vendor directory
• A new monitoring, metrics and reporting solution will be introduced
| WAM Start-Up Program Use Cases56