| | Criterion | Guidance Note | Specific Comments |
|---|
| 1 | A user can register on the extranet using their Unipass without the need to register for a password/PIN beforehand. | | A Unipass was registered without obtaining a username or password beforehand. |
| 2 | No user data already available from the certificate should need to be re-keyed. | - It is permissible to present this information to the user and allow them to edit it so long as it is clear that such a step is optional and does not detract from the process of completing any mandatory data items.
| No data from the certificate required to be rekeyed. |
| 3 | The registration process must be paper free. | | No paper process is involved in registering a Unipass. (When the first person from a firm registers, a letter is sent to the Principal of the firm, but access to services and data is granted unless and until the Principal contacts Clerical Medical to withdraw consent.) |
| 4 | Unipass organisation and individual identifiers should be used as the keys to identity, and user access must persist without re-registering whenever a new certificate is issued in which these keys persist. | - Background processes which capture and store changed data are permissible so long as the user experience is not interrupted.
| Clerical Medical’s assurance was accepted that re-registration is not required where these keys persist. |
| 5 | Where the user has a pre-existing password/PIN and this will continue to be accepted for authentication, access using Unipass must not be suspended when the password/PIN is not refreshed in line with security policy. | - There may, and probably should be, a separate password reset process, but this is not covered by this scheme.
| A user with an existing username and PIN may link a Unipass to their account. There is no requirement to refresh the PIN in order to maintain access with Unipass. |
| 6 | On presentation of a valid intermediary certificate and completion of supplementary data (including correct agency data), access to new business and quotations must be immediate, access to client data must follow within 1 working day, and confirmation should be provided to the user that such access has been granted. | - Where an intermediary firm or network is allowed to opt out of the standard registration process, this will not be within scope – see exclusions above.
- Access must be granted within the appropriate timescales in all cases other than the exceptions noted immediately above.
- “Immediate” access means within 10 minutes.
- Confirmation can be given either explicitly or implicitly.
- N.B. only the access described is in scope (e.g. commission systems are out of scope).
| When a Unipass is registered, access to NB and quotations is immediate. Access to client data is granted in a timescale ranging from almost immediately to 1 working day depending on relationships already in place with other users in the firm. |
| 7 | User data entry should be limited to 4 items. | - Marketing opt-in/opt-out, tick boxes for T&Cs, and navigation buttons do not count towards the total of data items entered.
- Multiple instances of a data item (e.g. agency) or split elements of a data item will count as one item.
| User data entry is limited to: - 3 radio buttons to select the products/clients you want access to
- Selection from a drop down list of a Unipass Controller (where one exists) to approve your access to Contract Enquiry
- Security questions (4)
- Selection of an agency level by clicking on a position in a displayed hierarchy
|
| 8 | For new accounts, if userID and password/PIN are to be explicitly created, this should not prevent access to client data by means of using Unipass. | - A userID and password/PIN may be created, and may or may not be displayed to the user, but access to client data via Unipass must not be delayed pending completion of an offline process relating to the provision of the userID, e.g. while a password is sent to the user by whitemail.
| No userid or PIN is explicitly created |
| 9 | User messages must be clear and provide relevant status information (e.g. “Your Unipass has been revoked”, not “There’s a problem with your Unipass”). | - A full list/table of error messages must be provided during the audit.
| The error messages encountered were satisfactory. |
| 10 | The “landing point” on secure services within the provider site should be able to determine whether a Unipass has already been properly associated with a user account, and initiate log-in where this is the case. Where no such association pre-exists, the registration form should be presented. | - The landing point is the page to which the user is directed to log in with Unipass whether via a URL from the Unipass website or from a non-secured area of the provider’s website, e.g. the provider may opt to have the user directed from the Unipass to a public area of their extranet, where brochures and other non secured information and / or services are provided.
- It is acceptable to have alternative hyperlinks from the public area of the extranet for Unipass access on the one hand and username / password access on the other.
- It is not acceptable to have separate pages for Unipass login and initial registration with Unipass.
| If a user attempts to access a secured service with a Unipass that is not already registered, they are taken to a page offering the opportunity to link the Unipass to an existing username and password account or to proceed through Unipass registration. At the end, they are returned to the Adviser home page. |