| | Criterion | Guidance Note | Specific Comments |
|---|
| 1 | A user can register on the extranet using their Unipass without the need to register for a password/PIN beforehand. | | A Unipass was registered without obtaining a username or password beforehand. |
| 2 | No user data already available from the certificate should need to be re-keyed. | - It is permissible to present this information to the user and allow them to edit it so long as it is clear that such a step is optional and does not detract from the process of completing any mandatory data items.
| No data from the certificate requires to be re-keyed.
The branch postcode is presented and may optionally be amended. |
| 3 | The registration process must be paper free. | | No paper process was involved in registering a Unipass. |
| 4 | Unipass organisation and individual identifiers should be used as the keys to identity, and user access must persist without re-registering whenever a new certificate is issued in which these keys persist. | - Background processes which capture and store changed data are permissible so long as the user experience is not interrupted.
| Successfully logged in with a different Unipass with the same identity but different role. |
| 5 | Where the user has a pre-existing password/PIN and this will continue to be accepted for authentication, access using Unipass must not be suspended when the password/PIN is not refreshed in line with security policy. | - There may, and probably should be, a separate password reset process, but this is not covered by this scheme.
| Zurich’s assertion that their security policy does not require refreshing of passwords was accepted. |
| 6 | On presentation of a valid intermediary certificate and completion of supplementary data (including correct agency data), access to new business and quotations must be immediate, access to client data must follow within 1 working day, and confirmation should be provided to the user that such access has been granted. | - Where an intermediary firm or network is allowed to opt out of the standard registration process, this will not be within scope – see exclusions above.
- Access must be granted within the appropriate timescales in all cases other than the exceptions noted immediately above.
- “Immediate” access means within 10 minutes.
- Confirmation can be given either explicitly or implicitly.
- N.B. only the access described is in scope (e.g. commission systems are out of scope).
| When a Unipass was registered, access to NB and quotations was immediate on completion of a simple process which Zurich call “upgrade”. For data protection reasons, Zurich’s assertion that access to client data follows within a maximum time of 30 minutes, but typically far less, was accepted. (During the audit, “upgrade”, which would have allowed access to data had there been any within the dummy agency used, was completed in less than 1 minute.) |
| 7 | User data entry should be limited to 4 items. | - Marketing opt-in/opt-out, tick boxes for T&Cs, and navigation buttons do not count towards the total of data items entered.
- Multiple instances of a data item (e.g. agency) or split elements of a data item will count as one item.
| User data entry is limited to: - Selection of job role (not identical to Unipass Individual Type) from a drop down list
- (optional) overtyping of branch postcode
- Agency number (adviser code)
|
| 8 | For new accounts, if userID and password/PIN are to be explicitly created, this should not prevent access to client data by means of using Unipass. | - A userID and password/PIN may be created, and may or may not be displayed to the user, but access to client data via Unipass must not be delayed pending completion of an offline process relating to the provision of the userID, e.g. while a password is sent to the user by whitemail.
| A userid is explicitly created (though not a password), but this in no way restricts access via Unipass. |
| 9 | User messages must be clear and provide relevant status information (e.g. “Your Unipass has been revoked”, not “There’s a problem with your Unipass”). | - A full list/table of error messages must be provided during the audit.
| Error messages encountered were judged satisfactory. |
| 10 | The “landing point” on secure services within the provider site should be able to determine whether a Unipass has already been properly associated with a user account, and initiate log-in where this is the case. Where no such association pre-exists, the registration form should be presented. | - The landing point is the page to which the user is directed to log in with Unipass whether via a URL from the Unipass website or from a non-secured area of the provider’s website, e.g. the provider may opt to have the user directed from the Unipass to a public area of their extranet, where brochures and other non secured information and / or services are provided.
- It is acceptable to have alternative hyperlinks from the public area of the extranet for Unipass access on the one hand and username / password access on the other.
- It is not acceptable to have separate pages for Unipass login and initial registration with Unipass.
| Although Zurich has separate buttons for login and registration, the login page does lead to registration where the certificate has not already been registered. |