An important step in ensuring the security of your message is to include a challenge question and answer. This helps confirm the identity of the recipient and should be something only known between you and the recipient. Avoid using easily accessible information from sources like social media or common knowledge questions, as they can compromise the security of your message.
Why is this step necessary? Imagine someone has access to your recipient’s mailbox – this extra step ensures they will still not be able to read your secure message.
Here are some tips to help you:
Do:
-
Consider your pre-existing knowledge of your client
Q – If you decided to leave the UK which city would you choose to emigrate to?
Do you know something about them that is not public knowledge? e.g.
A - Toronto -
Think about using information from the last conversation you had with them
Q - Which shop were you going to after our last meeting?
Did you talk about something you could reference? e.g.
A - Boots
- Consider the option of having a pre-agreed passphrase
This can be agreed on a per-client or per-communication basis, with the passphrase being conveyed during conversations with your client. Alternatively, a company-wide policy can be decided, creating a phrase to be used across all secure emails sent to clients. However, this is significantly less secure than the per client/communication options.
e.g. “During the course of your mortgage transaction, there may be times when we need to send information to you that is sensitive in nature. We will be using Mailock secure email to do this, where you will be required to verify your identity by providing the pre-agreed passphrase, which is *********”
-
Consider the circumstances that introduced the client to you and your firm
Q - What is the surname of the lady who introduced my services to you?
Were they referred? Or did they find you through a network? e.g.
A - Middleton -
Refer to any fact-finding documentation
Q - What year did you take out your first mortgage (enter the 4 digit year)
As fact-finds have a wealth of personal data, you may be able to find information to use as a potential question. e.g.
A - 1991
-
Consider using a quote number/policy number/case number if using a generic inbox
Q - Please provide the policy number for Mr A Smith DOB010101
Use a reference which can easily be looked up, but that isn't publicly known. e.g.
A - AB123456
Don't:
-
Refer to readily accessible data
Q – What is the name of your dog?
Questions created based on information found on social media posts are not secure. If you can see it, so can everyone else. e.g.
-
Ask common-knowledge questions
Q – Who is the President of the USA
Questions should be personal to the recipient, not something which you would find in a pub quiz. e.g.
-
Ask a question that could potentially have multiple answers
Q – Name one of your previous mortgage providers.
Ensuring your question has only a single, firm answer will ensure clients gain access every time. e.g.
Remember:
-
Explain what format the answer needs to be in
Q – What is the expiry date of your home insurance policy – please use **/**/**?
When there are multiple ways of entering an answer, such as when asking for a date, provide your client with the required input format. e.g.
In summary:
There are no hard and fast rules on how you should write a Q&A. Just aim to make your questions as personal as you can to each client. The rest is up to you!
Your Mailock ‘Trusted Community’
Keep in mind, if your recipient registers for a free 'read and reply' Mailock account they are added to your 'trusted community' of verified users once they have met the authentication challenge. This means that you will no longer need to issue them identity challenges, although you can do so if you wish.
The easiest way for them to register is to click on the 'Reply' button after they have opened your secure message. Ask your recipient to reply back to you, even if it's just to confirm they've read your message.