Multi-Factor Authentication Policy

Internal Policy Version 1.0 · Effective Date: May 18, 2026 · Next Review: May 2027

1. Purpose & Scope

This policy establishes the minimum authentication standards for any system that stores, processes, or transmits consumer financial data, personally identifiable information (PII), or that grants administrative control over such systems at Joliez Agency Inc. (“Joliez Agency”). It applies to all employees, contractors, and service accounts.

Systems in scope include the Joliez Agency web application (admin, superadmin, payroll, banking, PII, and onboarding modules), the hosting control panel, the database, the Plaid Dashboard, the Stripe Dashboard, the domain registrar, the primary corporate email tenant, and any code-repository or CI/CD platform that can deploy to production.

2. Authentication Standard

All in-scope accounts must use phishing-resistant multi-factor authentication. Acceptable factors:

FIDO2 / WebAuthn passkeys bound to platform authenticators (Touch ID, Face ID, Windows Hello).
Hardware security keys (YubiKey or equivalent, FIDO2/U2F).
Platform biometrics attested by the device’s secure enclave.

Prohibited factors for any in-scope account: SMS one-time codes, email magic links as a sole second factor, voice-call OTPs, and shared TOTP seeds. Time-based OTP authenticator apps (TOTP) are permitted only as a temporary fallback when a passkey is being re-provisioned, and only for non-financial systems.

3. Application Enforcement

The Joliez Agency application enforces a layered authentication model:

Password + device binding. Every authenticated session is bound to a registered device through an HMAC-signed device cookie. Logins from an unregistered device require enrollment via WebAuthn.
IP allow-listing. Administrative and superadmin roles can only authenticate from CIDR ranges explicitly listed in configuration.
WebAuthn step-up. Every privileged write action — payroll, banking onboarding, PII reads/writes, user-permission changes — requires a fresh WebAuthn assertion within a short freshness window (default 5 minutes). Step-up credentials are verified server-side against the user’s registered public keys; no shared secret is transmitted.
Session hardening. Sessions are HTTPS-only, SameSite-Lax, and idle-time out within 30 minutes. Concurrent sessions are bound to the originating device.

3a. Consumer MFA Before Plaid Link

Before any consumer (talent, employee, client, or contractor) can launch Plaid Link to connect a financial account, the application requires a fresh phishing-resistant WebAuthn ceremony:

First connection. The user is prompted to enroll a passkey using a platform authenticator (Face ID, Touch ID, Windows Hello) or a roaming FIDO2 security key. The credential is stored server-side as a COSE public key; no shared secret leaves the user’s device.
Subsequent connections, updates, and account changes. The user must complete a WebAuthn assertion against an enrolled passkey. Server-side verification confirms challenge match, origin binding, relying-party ID, user-presence and user-verified bits, and signature validity.
Freshness window. A successful ceremony grants a short-lived authorization (15 minutes). Both the consumer-facing banking flow and the server-side token-exchange handler refuse to mint or exchange Plaid tokens without a fresh authorization.
No fallback to weaker factors. SMS, email codes, and TOTP are not accepted as substitutes for the Plaid pre-flight ceremony. Devices that cannot perform WebAuthn cannot use Plaid Link on the platform.

4. External System Requirements

System	MFA Method Required	Verified
Hosting control panel (cPanel / registrar)	Passkey or hardware key	Quarterly
Plaid Dashboard	Passkey or hardware key	Quarterly
Stripe Dashboard	Passkey or hardware key	Quarterly
Domain registrar (GoDaddy)	Passkey or hardware key	Quarterly
Primary email (used for account recovery)	Passkey or hardware key	Quarterly
Source-control / deployment	Passkey or hardware key	Quarterly

The CTO reviews each provider’s account-security page once per quarter and records the verification timestamp in the internal audit log.

5. Enrollment & Lifecycle

Onboarding. New employees enroll at least two passkeys (e.g., laptop platform authenticator + hardware key) on day one. Production access is not granted until enrollment completes.
Lost or compromised authenticator. Reported immediately to security@joliezagency.com. Affected credentials are revoked from the credential store within one business hour. A replacement is enrolled in-person or via verified video call.
Offboarding. Within four business hours of separation, the CTO disables the user account, revokes all WebAuthn credentials, removes IP allow-list entries, and rotates any shared infrastructure secrets the user could have memorized.

6. Exceptions

Exceptions to this policy must be requested in writing to the CEO, must include a compensating control and an expiration date no longer than 30 days, and are logged in the policy exception register. No exception may waive MFA for an account with access to consumer financial data.

7. Monitoring & Audit

Authentication and step-up events are recorded in the application audit log and retained for 24 months. Failed step-up attempts, IP-allow-list violations, and new device enrollments are reviewed weekly by the CTO. Anomalies trigger an immediate session revocation and an incident report.

8. Annual Review

This policy is reviewed at least once per calendar year by the CEO and CTO, or sooner upon any material change to in-scope systems, a security incident, or a regulatory update affecting authentication requirements (GLBA, NIST SP 800-63B, PCI DSS, Plaid Production Requirements).

9. Change Log

Version	Date	Change
1.0	May 18, 2026	Initial publication.