BCST (Broker Client Security Tool) User Guide

INTRODUCTION

The Broker–Client Security Tool offers brokers the ability to self-manage the delivery of login credentials for their clients. This includes the replacement passwords for client access to Client Portal, TWS, WebTrader and IBKR Mobile as well as temporary passcodes for 2 factor device/app operation. The tool offers the following features:

Credentials are generated and delivered in a secure manner via verified cell phone or email.
Brokers can control the employees having access to the tool via defined user access rights.

PREREQUISITES

For the broker

In order to perform the password or SLS Temporary code management for a given client account, the operator must have access to the target client account. This access level is controlled by the "Client Security" access rights¹
The broker master user or another user with equivalent privileges can assign the "Client Security" access rights from the Client Portal, section Settings → Account Settings → Click on the Configure (gear) icon next to Users & Access Rights. Within the "Users" panel, click on the Edit (pencil) icon for the user whose privileges you desire to upgrade and activate the checkbox "Client Security" highlighted in the screenshot below

Figure1

In order to use email as a delivery channel for the Temporary Code the broker needs to log in using the Digital Security Card+ (DSC+)

For the client

The client must have at least a verified phone number on the account. For details about phone number verification you can see KB2553

BCST MENU

Channels

Secure Login System Temporary Code

Primary delivery channel for the Secure Login System (SLS) management is Mobile Phone SMS (text message). This should always be the preferred channel to be used for this purpose
Secondary channel for the SLS is email.This is a fallback solution, used ONLY in case the primary channel is unavailable

Password Management

Primary delivery channel is the Authentication Security app. When available, this channel must be selected. If the user has no active Authentication app, this option will not be displayed
Secondary channel is SMS. Should ONLY be used if the primary channel is unavailable

Details

Menu	Function
Find user
Username or Account ID search	The operator will be able to search either a username (default, as security is user-based) or account number.
Account with multiple usernames	Should the search by account number be executed with an account that has more than one user, the list of users will be displayed. Operator has to click on the user to which he needs to send a one-time password or temp code
Secure Login System Temporary code
Mobile Phone (SMS)	The client will receive a message containing a SLS Temporary Code on his phone
E-mail	The system will send an email containing a SLS Temporary Code to your client
Password Management
Authentication App	Your client will receive on his phone a message containing a link A click on that link opens the authentication app Once the client uses or enters his Fingerprint/Passcode/FaceID/PIN (depending on the device type or settings), the security app will show a one-time-password The client account user MUST write the one-time-password down, as instructed on the screen To complete the password change, the user has to log into the Client Portal using the one-time-password. The first page after login will be the Password Reset page The client must follow the instructions on the Password Reset page to complete the procedure, as described here
Mobile Phone (SMS)	The client will receive a text message (SMS) containing a one-time-password on his phone. The time of expiration of the password is included in the body of the message To complete the password change, the user has to log into the Client Portal using the one-time-password. The first page after login will be the Password Reset page The client must follow the instructions on the Password Reset page to complete the procedure, as described here

HOW TO USE THE BCST

Selecting the target client user

In the section "Find user", search either the client username (default choice, as security is user-based) or his account number and click on SUBMIT
In case you have searched an account number, the list of users will be displayed
Click on the desired user. The Broker Operator Security Functions panel will be shown

Figure2

Figure3

Secure Login System Temporary Code

Select the delivery channel.
- In case you have to select "email", you will have to provide the reason why the primary channel cannot be used²
Click on SEND TEMP CODE
According to the selected channel the following will happen:

- Mobile Phone SMS:
1. Your client will receive a message containing a SLS Temporary Code on his phone
  
  Figure4
2. The user will then have to activate a permanent Security Device/s and/or activate and Online Security Code Card. For details on how to enroll in a permanent Security Device/s see KB1131.

- Email:
1. The system will send an email containing a SLS Temporary Code to your client
  
  Figure5
2. The user will then have to activate a permanent Security Device/s and/or activate and Online Security Code Card. For details on how to enroll in a permanent Security Device/s see KB1131.

Password Management

Select the delivery channel
- If you select SMS, you will have to provide the reason why the primary channel cannot be used³
Click on SEND NEW PASSWORD
According to the selected channel the following will happen:

- Authentication app:
1. Your client will receive on his phone a message containing a link
  
  Figure6
2. A click on that link opens the Authentication app
3. Once the client uses or enters his Fingerprint/Passcode/FaceID/PIN (depending on the device type or settings), the security app will show a one-time-password
  
  Figure7
  
  Figure8
4. The client account user MUST write the one-time-password down, as instructed on the screen
5. To complete the password change, the user has to log into the Client Portal using the one-time-password. The first page after login will be the Password Reset page
6. The client must follow the instructions on the Password Reset page to complete the procedure, as described here
  1. Enter old password (from step 4)
  2. Enter a new password of his/her choice
  3. Repeat the new password entry to confirm it
  4. Click on CONTINUE
    
    Figure9

- Mobile Phone SMS
1. Your client will receive a text message (SMS) containing a one-time-password on his phone. The time of expiration of the password is included in the body of the message
  
  Figure10
2. To complete the password change, the user has to log into the Client Portal using the one-time-password. The first page after login will be the Password Reset page
3. The client must follow the instructions on the Password Reset page to complete the procedure, as described here
  1. Enter old password (from step 4)
  2. Enter a new password of his/her choice
  3. Repeat the new password entry to confirm it
  4. Click on CONTINUE
  5. Please see Figure9 above for details

BCST FLOW CHART

WHITE BRANDING

If your account has been configured for White-Branding, the messages sent to your client will not bear as sender the IBKR branding or name

When you select email as delivery channel, the sender address will be the one you set up in you Client Portal page, section Settings → Account Settings → White Branding → Emails → Return Email Address (detailed instructions here)

In case you have not populated the Return Email Address field, the system will use donotreply@interactivebrokers.com as email sender address

NOTES

If you do not have the required "Client Security" access right, you will receive the error message "You are not authorized to change password for the selected user"
The 'SEND TEMP CODE' button will be disabled until you have selected a reason for the use of email
The 'SEND NEW PASSWORD' button will be disabled until you have selected a reason for the use of SMS