| | Criterion | Guidance Note | Specific Comments |
|---|
| 1 | A user can register on the extranet using their Unipass without the need to register for a password/PIN beforehand. | | A Unipass was registered without obtaining a username or password beforehand. |
| 2 | No user data already available from the certificate should need to be re-keyed. | - It is permissible to present this information to the user and allow them to edit it so long as it is clear that such a step is optional and does not detract from the process of completing any mandatory data items.
| No data from the certificate requires to be re-keyed. The following fields are presented and may optionally be amended: - email address
- branch postcode
|
| 3 | The registration process must be paper free. | | No paper process was involved in registering a Unipass. |
| 4 | Unipass organisation and individual identifiers should be used as the keys to identity, and user access must persist without re-registering whenever a new certificate is issued in which these keys persist. | - Background processes which capture and store changed data are permissible so long as the user experience is not interrupted.
| Successfully logged in with a different Unipass with the same identity but different postcode. |
| 5 | Where the user has a pre-existing password/PIN and this will continue to be accepted for authentication, access using Unipass must not be suspended when the password/PIN is not refreshed in line with security policy. | - There may, and probably should be, a separate password reset process, but this is not covered by this scheme.
| Holders of a user ID and password are required to refresh their password regularly, but failure to do so does not prevent access via Unipass. |
| 6 | On presentation of a valid intermediary certificate and completion of supplementary data (including correct agency data), access to new business and quotations must be immediate, access to client data must follow within 1 working day, and confirmation should be provided to the user that such access has been granted. | - Where an intermediary firm or network is allowed to opt out of the standard registration process, this will not be within scope – see exclusions above.
- Access must be granted within the appropriate timescales in all cases other than the exceptions noted immediately above.
- “Immediate” access means within 10 minutes.
- Confirmation can be given either explicitly or implicitly.
- N.B. only the access described is in scope (e.g. commission systems are out of scope).
| When a Unipass was registered, access to NB, quotations and client data was immediate. |
| 7 | User data entry should be limited to 4 items. | - Marketing opt-in/opt-out, tick boxes for T&Cs, and navigation buttons do not count towards the total of data items entered.
- Multiple instances of a data item (e.g. agency) or split elements of a data item will count as one item.
| The user has 3 data items to enter: - Title
- Telephone Number
- Agency/Account number (for Standard Life Assurance Limited and/or Standard Life Healthcare)
(There is also a tick box marketing opt-in, and a navigation button which when clicked signifies acceptance of the T&Cs.) |
| 8 | For new accounts, if userID and password/PIN are to be explicitly created, this should not prevent access to client data by means of using Unipass. | - A userID and password/PIN may be created, and may or may not be displayed to the user, but access to client data via Unipass must not be delayed pending completion of an offline process relating to the provision of the userID, e.g. while a password is sent to the user by whitemail.
| A userid is created behind the scenes and is available on request, but this in no way restricts access to client data via Unipass. |
| 9 | User messages must be clear and provide relevant status information (e.g. “Your Unipass has been revoked”, not “There’s a problem with your Unipass”). | - A full list/table of error messages must be provided during the audit.
| The error messages encountered were satisfactory. |
| 10 | The “landing point” on secure services within the provider site should be able to determine whether a Unipass has already been properly associated with a user account, and initiate log-in where this is the case. Where no such association pre-exists, the registration form should be presented. | - The landing point is the page to which the user is directed to log in with Unipass whether via a URL from the Unipass website or from a non-secured area of the provider’s website, e.g. the provider may opt to have the user directed from the Unipass to a public area of their extranet, where brochures and other non secured information and / or services are provided.
- It is acceptable to have alternative hyperlinks from the public area of the extranet for Unipass access on the one hand and username / password access on the other.
- It is not acceptable to have separate pages for Unipass login and initial registration with Unipass.
| If a user attempts to access a secured service with a Unipass that is not already registered, they are taken through registration and returned to the secured services menu page. |