Introduction
As a part of the continued improvements provided to the online forms we provide we have, in this release, added whole set of functionality dedicated to increasing the options for form retrieval with a focus on additional security options. This is an upgrade to the form's framework. Meaning every form has the ability to leverage this functionality.
But it important to note a new version of the form is required to use this functionality. Details of the forms and versions which have this set up right now are provided later.
Please ensure you read the VERY IMPORTANT section later. It is later as without context it will be difficult to understand.
Existing Settings
For context the following are existing settings to provide flexibility on security options for a person retrieving their online form which has been saved for later/submitted and evidence to be added subsequently.
| Setting Name | What it does |
| TransactionNumberRandomStringLength | Changes the length of the reference number to whatever is desired |
| TransactionNumberPrefix | Appends a prefix to a reference number e.g. if this setting was set to HB a reference number would be like this: HBZQAPFYXC |
| TransactionNumberCasing | This allows the reference number to be in upper or lower case. The default is Upper. |
| EnableSecuredRetrieve |
This is the setting that, if set to true means a person requires to provide an additional security phrase on top of the reference number to access their form. The user can choose which type of additional phrase to provide from these types:
|
When the current EnableSecuredRetrieve option is set to true, it means a customer has to provide this prior to being able to start their form. This is illustrated below:
Everything in this release makes the level of control much more flexible. All of this done as a part of our continued desire to maximise our compliance with security best practice.
New settings introduced
The following are the new options introduced as setting based functions in this release:
| Setting Name | What it does |
| SecureRetrievePasswordOnly | When set to true this will mean that a person cannot use Mother's maiden name, NINO or first school as a password. The only option will be 'a password of your choice'. It is this option that is subsequently affected by the settings below. |
| SecureRetrievePasswordLengthMin | This allows you to change the minimum length of the password the user must provide. The default is 8 digits long. |
| SecureRetrievePasswordLengthMax | This allows you to change the maximum length of the password the user must provide. The default is 16 digits long. |
| SecureRetrieveNumberMixOfUpperAndLower |
This setting when true means that the password they provide must contain a mixture of upper and lower case characters. I.e. if the password was 8 digits long and set to IEEGFOUR it would not be allowed if this setting was true. But iEEG4FOUR would.
|
| SecureRetrieveNumberOfLetters | This setting controls the number of letters that need to be present within the password the user sets up I.e. you can control the number of letters the customer needs to provide in their password. |
| SecureRetrieveNumberOfDigits | This setting controls the number of numbers that need to be present within the password the user sets up I.e. you can control the number of numbers the customer needs to provide in their password. |
| SecureRetrieveNumberOfNonAlphaNumeric | This setting controls the number of non-letter or number based characters that need to be present within the password the user sets up I.e. you can control the number of special characters the customer needs to provide in their password. E.g. !@£$%^&*() |
| SecureRetrieveCaptchaControl | This provides the ability for you add a captcha control to the form retrieval process. The purpose of this is to completely remove the capability for repeat brute force hacking capability. |
| TransactionNumberMode | This setting adds the means to support a cryptorandom type for the reference number generated in the form. This should be used where you wish to leverage the new functionality provided for the reference number. |
| TransactionNumberRandomStringLength | This is an existing setting and is that which controls the total length of the reference value generated upon starting a form. |
| TransactionNumberRandomStringCharacters |
This allows you to set the actual characters that can be used in the random generation of a reference. The default characters used are: BCDFGHJKLMNPQRSTVWXYZ However, you can use whichever you want e.g. abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 Would ensure upper, lower, and numbers are used in a reference number. If this were the case for an 8 digit reference number it could look like this: 4qApf5Xc But it important to note that these characters could be anything i.e. you could set this to: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@£$%^&*()_+|~ Meaning that an 8 character reference number could be: 4~Apf5X! Where this is the case, the number of combinations for an 8 digit reference increases significantly to: 1,113,034,787,454,976 (1 quadrillion) For perspective if a hacker were to try every second to get into your data it would take them 35,294,101 (35 million) years to go through each combination. |
| CaptchaControlSiteKey | This is set by IEG4 and should not be edited by you |
| CaptchaControlSecretKey | This is set by IEG4 and should not be edited by you |
| SecureRetrieveCaptchaControl | This is set by IEG4 to google and should not be edited by you |
Some illustrations of these
Example 1 - changing the reference number format
In the following example, the settings are set such that:
TransactionNumberRandomStringCharacters is set to: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
And
TransactionNumberRandomStringLength is set to: 24
The combination of these mean that the reference number will be 24 characters long and contain a mixture of the a-0 character list. See how this is created below:
As one can see this is absurdly long but does illustrate the flexibility you now have.
Example 2 - Password modifications
If we set these settings as follows:
- SecureRetrievePasswordOnly true
- SecureRetrievePasswordLengthMin 7
- SecureRetrievePasswordLengthMax 12
- SecureRetrieveNumberMixOfUpperAndLower true
- SecureRetrieveNumberOfLetters 3
- SecureRetrieveNumberOfDigits 1
- SecureRetrieveNumberOfNonAlphaNumeric 1
Then it means the person will only be allowed to proceed if there are a minimum of 7 characters, a maximum of 12 and it should have a mixture of upper and lower case letters. There needs to be at least 3 letters, 1 number and 1 special character. I.e. with the above the following would be allowed:
All0w3d#
But:
all0w3d# would not as there needs to be upper / lower case mixture
All0w3d would not as there must be 1 special character
Al03d# would not as it is below the minimum of 7 characters.
I.e. an enormous amount of flexibility is present.
Where a person erroneously provides a password that does not meet the rules they will be presented with a message that reflects how you have set the settings. The following screen shot:
Is where the minimum is 8, max is 16 and 1 letter and 1 number is provided. I.e. the help is dynamic.
When the person wants to retrieve their saved form or go to add additional evidence they will need to provide their reference number and their password. They need to provide both of these at the same time now meaning both are required to be correct in conjunction with one another rather than previously where they were checked in isolation.
If the person provides incorrect details on either the following is presented. I.e. it tells them they have done something wrong but for security does not explain what they have got wrong:
VERY IMPORTANT
Any current in-progress forms without security questions will become un-retrievable when this is enabled. This creates a catch 22 but basically at the point at which you go live with this you will likely have some in progress forms where this is the case. These users will be unable to retrieve their claims from that point onward so will need to start a new one. So you may want to email them or make it clear for 1 month post the change on the guidance notes of the launch page that they will need to start a new one.
Also and mainly for information, the answer (password) the citizen provides now have true password box behaviour, meaning characters are masked as they are entered.
Example 3 - Captcha when trying to retrieve an online form
When the following setting is google and the associated values are added by IEG4:
SecureRetrieveCaptchaControl
The following will be present on the online form in the 'Continue a form' section:
When clicked the user needs to answer the visual questions like this below:
It is important to note that this can be used as well as or instead of a password if you have made the reference number complex.
Forms with this built in right now
- eClaim - Benefits - version 2.4
- eChanges - Benefits - version 2.5
- Calculator - Benefits - version 2.2
The Council Tax forms will be those, which get this next. Benefits were done first owing to the sensitivity of the data and that they are more likely to be saved for later.
eGovHub Release Version Details
The following are the release versioning details:
| Release Date | Version Number |
| 08/04/2019 | 2.2 |
Recently viewed articles
eGovHub Release Version Details
The following are the release versioning details: