Finducation™

Finducation - EZBudget™

Consumer Multi-Factor Authentication Policy

Phishing-resistant MFA before Plaid Link on EZBudget web and mobile.

Document ID: EZB-MFA-001
Version: 1.0
Effective Date: July 8, 2026
Last Review Date: July 8, 2026
MFA Class: Phishing-resistant
Owner: Deseo Developers LLC (Engineering/Security)

1. Policy Statement

EZBudget requires consumer authentication with phishing-resistant multi-factor authentication (MFA) on web and mobile applications before financial linking workflows (including Plaid Link) are made available to the user.

Phishing-Resistant MFA Web + Mobile Required Before Plaid Link

2. Scope

  • EZBudget web application (/budget/)
  • EZBudget mobile application wrappers (iOS/Android)
  • Finducation authentication entry points used by EZBudget consumers
  • Bank connection and Plaid Link initiation flows

3. Approved MFA Factors

EZBudget supports phishing-resistant authentication factors, including:

Factor TypeExamplesClassification
Passkeys / WebAuthnPlatform authenticators, security keysPhishing-resistant
Biometric authenticationDevice-native biometric unlock tied to secure identity sessionPhishing-resistant
Hardware OTP / FIDO security keysHardware-backed one-time or challenge-response tokensPhishing-resistant

4. Plaid Link Access Control Flow

  1. User accesses EZBudget web or mobile application.
  2. User completes primary authentication and required phishing-resistant MFA challenge.
  3. Authenticated session token is issued and validated for protected API operations.
  4. Plaid Link and bank connection actions are enabled only for authenticated sessions.
  5. Unauthenticated users are blocked from initiating Plaid Link.
EZBudget enforces signed-in state before bank connection controls are enabled in the application interface.

5. Session and Token Controls

  • Authenticated sessions use server-validated tokens for protected operations.
  • Session expiration and re-authentication requirements are enforced for sensitive actions.
  • Financial linking endpoints require valid authenticated context.

6. Governance and Review

  • MFA control effectiveness is reviewed during internal security assessments.
  • Authentication provider configuration changes require security review.
  • Policy updates are triggered by major auth architecture or integration changes.

7. Due Diligence Mapping

Questionnaire AssertionPolicy Position
MFA provided for consumers on mobile and/or web before Plaid Link Yes - Authentication and MFA required prior to Plaid Link availability
MFA type Yes - Phishing-resistant MFA (passkeys/WebAuthn, biometrics, hardware OTP)

8. Approval

This policy is approved for external partner due diligence responses, including Plaid security/governance questionnaires.

Approved By: Deseo Developers LLC - Authorized Representative

Date: July 8, 2026

Contact: contact@deseodevelopers.com