Finducation - EZBudget™
Consumer Multi-Factor Authentication Policy
Phishing-resistant MFA before Plaid Link on EZBudget web and mobile.
1. Policy Statement
EZBudget requires consumer authentication with phishing-resistant multi-factor authentication (MFA) on web and mobile applications before financial linking workflows (including Plaid Link) are made available to the user.
Phishing-Resistant MFA Web + Mobile Required Before Plaid Link
2. Scope
- EZBudget web application (
/budget/) - EZBudget mobile application wrappers (iOS/Android)
- Finducation authentication entry points used by EZBudget consumers
- Bank connection and Plaid Link initiation flows
3. Approved MFA Factors
EZBudget supports phishing-resistant authentication factors, including:
| Factor Type | Examples | Classification |
|---|---|---|
| Passkeys / WebAuthn | Platform authenticators, security keys | Phishing-resistant |
| Biometric authentication | Device-native biometric unlock tied to secure identity session | Phishing-resistant |
| Hardware OTP / FIDO security keys | Hardware-backed one-time or challenge-response tokens | Phishing-resistant |
4. Plaid Link Access Control Flow
- User accesses EZBudget web or mobile application.
- User completes primary authentication and required phishing-resistant MFA challenge.
- Authenticated session token is issued and validated for protected API operations.
- Plaid Link and bank connection actions are enabled only for authenticated sessions.
- Unauthenticated users are blocked from initiating Plaid Link.
5. Session and Token Controls
- Authenticated sessions use server-validated tokens for protected operations.
- Session expiration and re-authentication requirements are enforced for sensitive actions.
- Financial linking endpoints require valid authenticated context.
6. Governance and Review
- MFA control effectiveness is reviewed during internal security assessments.
- Authentication provider configuration changes require security review.
- Policy updates are triggered by major auth architecture or integration changes.
7. Due Diligence Mapping
| Questionnaire Assertion | Policy Position |
|---|---|
| MFA provided for consumers on mobile and/or web before Plaid Link | Yes - Authentication and MFA required prior to Plaid Link availability |
| MFA type | Yes - Phishing-resistant MFA (passkeys/WebAuthn, biometrics, hardware OTP) |
8. Approval
This policy is approved for external partner due diligence responses, including Plaid security/governance questionnaires.
Approved By: Deseo Developers LLC - Authorized Representative
Date: July 8, 2026
Contact: contact@deseodevelopers.com