manual of latch app. using with nevele bank

of 71 2016 © Telefónica Digital España, S.L.U. All rights reserved.

Add an extra layer of protection

to your digital services

Manual of Latch app. Using with Nevele Bank and Dropbox.

V.7.1 – November 2016


TABLE OF CONTENT

1 INTRODUCTION ........................................................................................................... 4

1.1 What is Latch? .......................................................................................................................... 4

1.2 Prior requirements ................................................................................................................... 4

1.3 Steps for pairing a digital account with Latch .......................................................................... 4

2 PAIRING A DIGITAL ACCOUNT WITH LATCH ................................................................. 5

2.1 Installing the Latch app from your smartphone ....................................................................... 5

2.2 Creating a Latch user account .................................................................................................. 6

2.3 Accessing Latch ......................................................................................................................... 8

2.4 Creating a digital account at Nevele Bank ................................................................................ 8

2.5 Pairing Latch with Nevele Bank .............................................................................................. 10

2.5.1 Accessing the pairing page ....................................................................................................... 10

2.5.2 Generating the pairing code on the smartphone ..................................................................... 12

3 USE EXAMPLES FOR LATCH ......................................................................................... 16

3.1 Example 1: Completely locking a digital account ................................................................... 16

3.2 Example 2: Locking some operations of a digital account...................................................... 18

3.3 Example 3: Activating "Schedule locked" ............................................................................... 21

3.4 Example 4: Activating the second security factor .................................................................. 24

3.5 Example 5: "Autolock by time" and “Autolock by use” .......................................................... 27

3.5.1 Autolock by time ...................................................................................................................... 27

3.5.2 Autolock by use ........................................................................................................................ 28

3.6 Example 6: Inherited locking for operations on a digital account .......................................... 29

3.7 Example 7: Unpairing the Nevele Bank digital account .......................................................... 30

4 SERVICE PROVIDER ACTIONS ...................................................................................... 33

4.1 Locking and unlocking by the service administrator .............................................................. 33

4.2 Disabling and restoring the service ........................................................................................ 34

5 LATCH OPTIONS AND CUSTOMIZATION ...................................................................... 35

5.1 Renaming and reordering services and operations ................................................................ 35

5.2 Contextual options of services and operations ...................................................................... 35

5.2.1 Rename..................................................................................................................................... 36

5.2.2 Move to .................................................................................................................................... 37

5.2.3 Silence ...................................................................................................................................... 37

5.2.4 Log ............................................................................................................................................ 38

5.3 The Latch lateral menu ........................................................................................................... 38

6 CUSTOMIZING ACCESS ENVIRONMENTS AND CREATING INSTANCES IN NEVELE BANK 44

6.1 Customizing access environments .......................................................................................... 44

6.2 Creating instances .................................................................................................................. 47




7 APPENDIX I: PROTECTION WITH TOTP ........................................................................ 49

7.1 Inclusion of the Dropbox TOTP in Latch ................................................................................. 49

7.1.1 Including the Dropbox TOTP in Latch using the secret key ....................................................... 52

7.1.2 Including the Dropbox TOTP in Latch scanning the QR code ................................................... 54

7.2 Using the Dropbox TOTP in Latch ........................................................................................... 56

7.3 TOTP options in Latch ............................................................................................................. 57

7.3.1 Deleting a TOTP ........................................................................................................................ 57

8 APPENDIX 2: NOTIFICATIONS SUMMARY IN LATCH ..................................................... 59

9 INDEX OF IMAGES ...................................................................................................... 64

10 RESOURCES ............................................................................................................... 70




1 INTRODUCTION

1.1 What is Latch?

Basically, Latch is a service designed to protect your users' digital accounts from unauthorized access. LATCH DOES NOT SAVE ANY INFORMATION AT ALL FROM THESE ACCOUNTS, ITS ONLY JOB IS TO GIVE THEM AN EXTRA LEVEL OF SECURITY.

The idea is to limit the time that these digital accounts are exposed to potential unauthorized access. The user will decide whether their accounts are LOCKED or UNLOCKED when they access them. LATCH DOES NOT AFFECT THE ACCOUNT'S OPERATION IN ANY WAY, IT CAN ONLY ALLOW OR DENY ACTIONS PERFORMED ON IT.

1.2 Prior requirements

To use Latch the user should have at least:

1. A smartphone with the Latch application installed on it.

2. A user account with a provider that is already linked to Latch.

1.3 Steps for pairing a digital account with Latch

Integrating Latch with a service provider such as Nevele Bank requires very specific steps to be followed that will be shown below, and which you should follow for pairing with any service provider, (steps 1 and 2 only need to be done the first time, since they will be valid for other service providers):

1. Installing the Latch app from your smartphone.

2. Creating a Latch user account.

3. Accessing Latch, with the above data.

4. Creating a sample digital account at Nevele Bank, (if the user still doesn't have one).

5. Pairing Latch with the newly created Nevele Bank digital account. The pairing process only needs to be performed one time for each account.

Once the application has been paired, the user may interact with it and lock/unlock it, in addition to other operations like:

1. Completely locking and unlocking a digital account.

2. Locking and unlocking operations included on the digital account.

3. Activating "Schedule lock" for operations on the digital account.

4. Add a new level of security with OTP (One time password).

5. Configuring "Autolock by time" and "Autolock by use"on the digital account.

6. Inherited lock of operations on the digital account.

7. Unpairing the application from the digital account.

The examples from this guide are based on the Latch app installed on a mobile Android device, thus the images of the smartphone and the Latch installation process match this type of device. (If the device had a Firefox OS, Windows Phone, Blackberry or iOS operating system, the steps will be exactly the same, and the user can carry them out in the exact same way. The only difference is installing Latch, since each operating system uses a different store, although the installation process is basically the same for each one). Latch can also be used on devices such Tablets and Apple Watch.




2 PAIRING A DIGITAL ACCOUNT WITH LATCH

2.1 Installing the Latch app from your smartphone

To use Latch first you need to install it on your smartphone, the app is free, and can be downloaded from the store that your device uses.

To install it on an Android device, follow these steps:

1. From the smartphone, access the “Play Store” icon and click on it.

2. Write “Latch” into the search bar at the top of the screen.

3. Once you do this various applications related to the word “Latch” will appear, install the app from “Telefónica Digital España S.L.U.”. To do this simply click the "INSTALL" button.

Image 01: Access the Play Store. Image 02: Search for Latch. Image 03: Install Latch.

4. After clicking the “INSTALL” button a screen will appear that shows the permissions for the Latch app on your mobile device, by clicking the “ACCEPT” button you will start the actual installation.

5. After a few seconds, the installation will be completed, and the user can open the app with the “OPEN” button.

6. After completing the installation, the Latch icon will appear on the first page of the device, so that the user can access it at any time.




Image 04: Accept permissions. Image 05: Open Latch following installation.

Image 06: Latch icon.

2.2 Creating a Latch user account

Once the application is installed, the first thing the user should do is open it from their smartphone. On the first screen the logo and some instructions will appear. Basically the user can do two things:

Slide the screen to access a short tutorial on Latch, after which they can click the text "No, register” to register on Latch.

Start the session directly if you have an account. To do so, click on the text “Sign in” in lower left-hand portion of the screen, as shown in image 07. This text will take the user to a new screen where they can start the session.

Image 07: Latch start screen. Image 08: Latch Tutorial. Image 09: Access registration.




Clicking on the text “No, register” opens a form on the application, so that the user can create a Latch account. To do so you must enter a valid email address and a password. You should also check the box indicating that you agree to the application's terms of use, (these terms can be read by clicking the button “Read agreement”). Then click the “Register” button, located on the lower part of the screen.

Image 10: Screens where the user should enter their email address and the password for their Latch account.

After entering this information, the user received an email to the address that they entered, with a link for activating Latch.

Image 11: Email sent to the user with the link for activating their Latch account.

After doing this the user will have a Latch account, through which they can access the application and protect their digital accounts.




2.3 Accessing Latch

Once the user has an account, they should access the application with the “sign in” button. After clicking this button, a new screen will be shown, where the user will need to enter the email address and the password they used to create the Latch account, during the previous step.

Image 12: Screen where the user should enter their email and password after creating their Latch account.

Image 13: Latch start screen without any digital account paired.

This window will also display the text “Forgot your password?”, through which you can recover your password if you don't remember it, and a "Register" link, through which you can access the previously mentioned form. This process is performed when Latch sends you an email to the address that you indicated.

Once the user has entered the application, the Latch logo will in the upper left corner and to the right a “Menu” button for accessing different settings and information regarding Latch. This button appears on various Latch screens. In the center the digital accounts that user has paired with Latch will appear. The first time that the user accesses the application no accounts will be listed, Latch will display this message: “Pair a new service with Latch or protect it with Cloud TOTP: a temporary onetime PIN.". The next step is pairing your Nevele Bank account with Latch.

In this example a digital account will be created at Nevele Bank to subsequently include it on Latch. If the user already had a digital account with Nevele Bank then this step wouldn't be necessary.

2.4 Creating a digital account at Nevele Bank

To create a digital account at the imaginary Nevele Bank, the user should access the page http://nevele.stage.11paths.com/. In the lower portion of this page you can see a form for accessing this bank, and over it the link “Register”, which the user should click to create a digital account.

http://nevele.stage.11paths.com/




Image 14: Nevele Bank Home screen. The arrow shows the location of the registration link.

Once the registration page has been accessed, the user should enter a name, an email address, a password with at least 6 characters and then click the “REGISTER” button. This email does not need to coincide with the email used for creating their Latch account. In this example, an imaginary user named “Antonio García Cepeda” will create a digital account on Nevele Bank.

Image 15: Creation of a new digital account at Nevele Bank, by an imaginary user.




Once the digital account has been created, the offered services will be shown. In this case, they are the change password option and setup Latch service, through the link “Latch Service”.

Image 16: Accessing the Latch service, from Nevele Bank.

2.5 Pairing Latch with Nevele Bank

The user now has an account with the Latch application on their mobile device, and a digital account that they can pair therefore the last step is pairing these two accounts.

2.5.1 Accessing the pairing page The user should access their new digital account at Nevele Bank. If the user ends up creating a digital account, then it will have already been accessed, as can be seen in the above image. In this case the user only needs to click the “Latch Service” link and access the following page, which is shown in image 18.

If they still haven't accessed their digital account with Nevele Bank, they should do so using the form on the home page located in the lower left corner of the screen.

Image 17: Accessing the digital account at Nevele Bank.

After entering the username and password for the digital account at Nevele Bank a page will appear with the operations that the user can perform at the imaginary Nevele Bank. To access the Latch




service the user should click on the name that appears in the upper right portion, corresponding to the name that was used when creating the digital account at Nevele Bank. In this example the name is “Antonio García Cepeda”. You can also do this by clicking on the banner below, on the text "Latch your account now!"

Image 18: Appearance of the digital account when the user accesses it.

Once you have clicked on the username a page for accessing the Latch service for Nevele Bank will appear, which is the same page shown in image 16. From this image the user should click the “Latch Service” link.




Image 19: Accessing the Latch service, from Nevele Bank.

After tapping on the “Latch Service” link, a new page is displayed briefly explaining what Latch is, along with a text box in which you must enter the “Pairing token”. This token is the pairing code generated by Latch.

Image 20: Accessing the page for entering the token generated by Latch.

2.5.2 Generating the pairing code on the smartphone A "pairing code" is simply a set of characters created at random. For Latch the pairing code is composed of 6 characters that can be numbers or letters, both uppercase and lowercase. The next




step is generating the Latch token that the webpage is requesting, as can be seen in the previous image.

To do this you will tap on the “Pair with Latch” button in the central part of the screen of the mobile device. After tapping on this button, you will see a new screen (see Image 22) from which you will be able to access the window in which the pairing code is generated by tapping on the “Generate new code” button.

At the bottom of that window you will find the “How does the pairing work?” button, through which you can access a brief tutorial that explains the pairing process.

Image 21 also shows the “Protect with Cloud TOTP” button. This option is not used at all in Nevele Bank, and it allows to protect the accesses by means of a TOTP (Time-based One Time

Passwords) in certain services that support this technology, such as Gmail, YouTube, Facebook or Dropbox. TOTPs are basically one-time temporary passwords with a specific period of validity that are destroyed when they expire. These temporary passwords are used as a second step in the authentication of a website. In order to use them, the website in question must support this technology. Gmail, Facebook, Dropbox, Amazon, etc. are sites that can be added as a service to Latch and thus protect its access. Appendix I: Protection with TOTP details this options with the Dropbox service.

After tapping the “Generate new code” button, a series of characters will be shown on a new screen (image 23). After clicking this button some characters will appear, as well as a 1 minute countdown bar. The characters correspond to the token that the user should enter into the textbox on the previously shown web page.

The characters should be exactly the same way that they appear on the smartphone, including upper and lowercase letters.

Image 21: Start screen, from which a Latch account can be added

Image 22: Screen where the pairing code is generated.

Image 23: Generated pairing code.




Image 24: Nevele Bank web page where the pairing code generated by Latch should be entered.

The user may incorrectly enter the pairing code. In the following image you can see the error on the Nevele Bank page. The error was that the user entered the last letter, the “h”, in lowercase instead of uppercase.

Image 25: Nevele Bank Page that shows the error message, if the user has entered an incorrect pairing code.

If the pairing code is correctly entered, the webpage will indicate it through the message, and on the smartphone a screen will immediately appear indicating that the digital account has been paired.

Image 26: Message displaying the digital account that was paired.

Image 27: The Nevele Bank webpage showing that the digital account has been correctly paired.

From the previous smartphone screen, the user can access a list of paired digital accounts by clicking on the button “Set up later”, located in the lower part of the screen. That way you will access a new window containing all the paired accounts, among which you will find the Nevele Bank account.

This window is the main Latch window which is divided into 4 parts:

The upper part includes the previously mentioned Latch logo and the “Menu”.




Below these a slider control with the Latch logo will appear, along with the text “Slide to lock all". By tapping on this slider and sliding it to the right all of the accounts under it will be locked, and will remain disabled until the control is moved in the opposite direction.

Then the user's list of paired accounts will appear. Each paired account includes an icon, the name of such account, and a toggle switch, through which the user can lock or unlock such account. Optionally a message can appear under the name of each account indicating that there are operations locked for that account.

Lastly, at the bottom we see the previously mentioned button that gives access to the screen where the pairing code is generated.

Image 28: Nevele Bank as the only paired service.

Image 29: Nevele Bank with other paired services.

Image 30: Operations available on the digital account.

By clicking on the account name (Nevele Bank in this case), the user can access the operations under this account, and manage them, as is shown in the following examples.

In image 30 you can see the Nevele Bank account that includes 4 operations, which are “Login”, "Latch Unpair", "Transfers" and “Credit Cards”. These operations may in turn contain others, thus creating a tree of nested operations.




3 USE EXAMPLES FOR LATCH Once the Nevele Bank digital account is paired with Latch, the user will be able to lock such account so that access to it is limited to your needs.

A few examples will be shown below, in which thanks to Latch you can lock your Nevele Bank account or operations for everyone, and unlock them when you need to use them.

3.1 Example 1: Completely locking a digital account

In this first example, the user from Latch will completely lock their digital account at Nevele Bank, it is impossible to access this account from the Internet unless the user first unlocks it from Latch.

To demonstrate this example, the user should, from the mobile device, click on the grey button located to the right of the account name, belonging to the Nevele Bank digital account (image 31). After clicking this button, the color will become green, (image 32) this will indicate that the Nevele Bank digital account will be locked, and then it cannot be accessed from the Internet. You also won't be able to perform any internal operations that were included (in this case “Login”, "Latch Unpair", "Transfers" and Credit Cards”, seen in image 30).

Image 31: An unlocked Nevele Bank digital account. Image 32: A locked Nevele Bank digital account.

Once the Nevele Bank digital account is locked, the user should verify that it cannot be accessed. To do this, they should visit the home page of Nevele Bank (http://nevele.elevenpaths.com), and on the registration form attempt to access it by entering their name and their password, as has been shown previously, in image 17.

The following images show:

Locking the Nevele Bank digital account as performed by the user on their smartphone.

The webpage form into which the user should enter their username and password to access this digital account.

http://nevele.elevenpaths.com/




Image 33: Locking Nevele Bank with Latch.

Image 34: Attempting to access a digital account at Nevele Bank.

The result will be that Nevele Bank will not allow access over the Internet. The user can see a message on the webpage showing that it cannot be accessed. Additionally on the user's mobile device they will receive a notification indicating that an unauthorized access attempt has been made to their Nevele Bank digital account.

Image 35: Notification of the Nevele Bank unauthorized access attempt.

Image 36: Message stating that the Nevele Bank digital account cannot be accessed.

For the user to be able to access their digital account, they should unlock their account from Latch. To do so, click on the green button, located to the right of the account name. You can also click




directly on the button “Unlock service” which appears on the notification screen of the smartphone (image 35). Once the digital account has been unlocked, they should access Nevele Bank again indicating their username and password like they did before.

The result will be that now they can access their digital account and perform any operations that they need to.

)

Image 37: Unlocking Nevele Bank by the user with Latch.

Image 38: Appearance of the Nevele Bank digital account when it is correctly accessed by the user "Antonio García Cepeda”.

3.2 Example 2: Locking some operations of a digital account

In this second example, the user from Latch will lock some operations of their digital account at Nevele Bank, it will be impossible to access such operations from the Internet unless the user first unlocks it from Latch.

On the mobile application, we can see that the Nevele Bank account has nested operations. To see these the user simply needs to click on the name of the digital account (image 39), and a new screen will be shown (image 40) with various options:

A button in the upper left part of the application that shows the name of the digital account (Nevele Bank) which the user has accessed. From this button the user can return to the screen that shows the list of digital accounts paired. The “Menu” button appears to the right.

The previously mentioned "Slide to lock all" control..

A list with the available operations. In this case there are 4 operations: “Login”, "Latch Unpair", "Transfers" and “Credit Cards”, each one of these can be locked or unlocked by Latch, thanks to the button on the right. Each one of these operations can in turn include others, which will have the same structure.

The user should click on the name of the “Transfers” operation to access its content. It can be seen in a new window that this in turn includes two more operations, which are “LocalTransfer” and “InternationalTransfer” (image 41). Such operations will be the same ones that appear on the website when the user has accessed their digital account, as is shown in image 43.




Image 39: Accessing available operations at Nevele Bank.

Image 40: List of operations on the Nevele Bank digital account.

Image 41: Operations included under the “Transfers” operation.

In this example “LocalTransfer” will be locked, so that the user cannot perform this type of transfer. The difference is that the entire digital account is not locked, just the selected operation. The process is the same as in the previous example, and the steps to be followed are similar:

1. Lock by the user of the “LocalTransfer" operation, by clicking on the button located to the right of this operation.

2. Attempt by the user to perform a local transfer, from the corresponding Nevele Bank webpage: https://nevele.elevenpaths.com/localTransfer. This page is accessed under the “Local” link of the “Operations” page, which appears when the user accesses the Nevele Bank webpage.

Image 42: Locking local transfers at Nevele Bank.

Image 43: Access to local transfers by the user on the Nevele Bank webpage.

https://nevele.elevenpaths.com/localTransfer

https://nevele.elevenpaths.com/localTransfer




Once the user has accessed the webpage and the operation “LocalTransfer” is locked by Latch, they should attempt to make a transfer, at first it will seem like it is possible.

Image 44: Start the transfer supposedly locked by Latch.

When the user clicks the “TRANSFER” button, Nevele Bank will indicate that the transfer cannot be made because it is locked by Latch. Like in the previous example, the smartphone will receive a notification indicating that there was an access attempt on a locked operation.

Image 45: Access attempt of the “LocalTransfer” operation.

Image 46: Indication from Nevele Bank that it is not possible to perform the indicated operation, since it has been locked by Latch.

Like the previous example, to make a transfer the user should unlock the operation from Latch and then attempt to make the transfer again. To unlock the operation the user has three options:

1. Click directly on the “Unlock service” button which appears on the notification screen.

2. Access the locked operation following the above steps, and tap on the pertinent button.

3. Access the operation details, and move the slider control to the right. After this the operation status will change automatically and it will appear as such in the previous views.




Image 47: Unlock the operation from the notification.

Image 48: Unlock the operation from the name of the operation.

Image 49: Unlock the operation from its detail view.

After these actions, the result will be that now it is possible to make the transfer, since that transfer has been unlocked by the user at the necessary time.

Image 50: Transfer performed correctly after unlocking it from Latch.

3.3 Example 3: Activating "Schedule locked"

(This option may not be available for some services or operations, since the "Autolock by use" option may prevent this).

In this example, the user from Latch will perform the “Schedule lock” activation for the “LocalTransfer” operation from their digital account at Nevele Bank, making it impossible to access such account from the Internet outside of the schedule established by the user.




This example will start with the same situation as before, from an operation of a digital account. Therefore, the user should click the “LocalTransfer” operation name, and will access the operation details view (image 52) where other options related to it can be set-up, one of these is called “Schedule lock”.

Image 51: Access other options for “LocalTransfer”. Image 52: Detailed view of the options available for “LocalTransfer”.

To activate “Scheduled lock” you should tap gray's button to launch the “Schedule lock” section located at the bottom of the screen, (image 52).

This section displays a bar that includes two circles on each side, each one has the image of a lock. The circle with the open lock indicates the time in which the operation will be unlocked, and the circle with the closed lock indicates the time in which the operation will be locked.

Each one of these circles are sliding controls that you can move from left to right to set the schedule in which the operation is locked. The lapse of time for which the lock is established can be seen on the bar itself, which will be marked with a darker color.

The area in which the operation is unlocked will remain unmarked. These controls can be slid by moving one over the other to configure different schedules, (images 53 and 54).

The schedule can also be seen next to the “Schedule lock” text, which as the controls are moved they will change, adapting to the hours selected by the user.

Simultaneously the status of the operation can change (“locked” or “unlocked”) based on the current time that is included between those selected by the user. You can see this because of the status of the sliding control in the upper section.




Image 53: Locked status from 12:00 to 00:00. Current status: locked.

Image 54: Locked status from 19:00 to 07:00. Current status: unlocked.

Image 55: Clock icon on the operation with the "Scheduled lock".

When setting a "Scheduled lock" the operation will display a clock icon on the operation button. Which will indicate if the operation is locked or unlocked at that time, depending on the time you have set up for the lock.

You can deactivate the “Scheduled lock” by tapping on the button located next to the text “Schedule lock”, which will change the status to “OFF”. In the case of deactivation the last configured schedule will be kept, which will go into effect when the user activates this mode again.

If attempts are made to access the operation during unauthorized times, the website will indicate that it is locked by Latch. Additionally the user will receive a notification similar to that found in image 47.

Image 56: Locking the operation from 12:00 to 00:00.

Image 57: Locked transfer because it was attempted during an unauthorized time.




Image 58: Locking the operation from 00:00 to 12:00.

Image 59: Transfer performed during a schedule allowed by Latch.

3.4 Example 4: Activating the second security factor

(This option may not be available for some services or operations, even though Nevele Bank does support it).

In this example, the user from Latch will establish a security factor for an operation on the digital account at Nevele Bank. Such new factor consists in the webpage requesting from the user a password that has been sent to their phone. If the user does not enter the password into the webpage, the operation in question cannot be performed. This example will start with the same situation as before, from an operation of a digital account, for example “InternationalTransfer”. Therefore, the user should click the operation name, and will access the operation details view where other options related to it can be set-up, one of these is called “One-time password”.

Image 60: Access the operation details view for

“InternationalTransfer”.

Image 61: “One-time password” in “Off” status.

Image 62: “One-time password” in “On” status.




To activate the "One-time password" the user should click the button highlighted in image 61. It can be seen that in addition to the status change of the button, a button with the text “Send password again” will be shown under this element. Through this action the user will have activated the "One-time password", and they will receive a password if they attempt to make an “International Transfer” transaction on the Nevele Bank website.

To verify it the user should access the webpage and attempt to make an “International” transfer, at first it will seem possible.

Image 63: Start of the supposed transfer which will request the "One-time password".

By tapping on the “TRANSFER” button, a new screen is displayed asking for the one-time password sent to your mobile device.

Image 64: Latch Notification. Image 65: Password request from Nevele Bank.

To access the password received on the smartphone, the user has two options:

1. Show all of the current notification on the smartphone and select the one received from Latch, (image 66).

2. From the Latch application, click the button in the lower part of the screen shown in image 67.




Either one of these will show the token, as can be seen in image 68.

Image 66: Different notifications from those found on Latch.

Image 67: Access the token from Latch, clicking on the button.

Image 68: Token generated for the “One-time password”.

Once the notification has been received on the smartphone, the user should enter the token from the notification shown in the textbox on the webpage, as is shown in the following image.

Image 69: Entering the password received on the smartphone.

After clicking the “CONFIRM” button, Nevele Bank will verify if the entered token is exactly the same as the one sent to the smartphone. If yes, Nevele Bank will accept the operation and the result will look like the following image.




Image 70: Result of having correctly entered the token.

If the user had not correctly entered the password, Nevele Bank will display a warning message. In the following image we can see that the first character has been entered in lowercase, this makes Nevele Bank request the password again. Nevele Bank allows 3 attempts at entering the token, if the correct password is not entered the operation will be temporarily locked, (image 73).

Image 71: Result of having incorrectly entered the password.

It is important to note that in order to receive the one-time password on your mobile device, you must be logged into your Latch. It is not necessary to run the app in the foreground

(although it is recommended). If you have not logged into Latch, you will not receive the one-time password. In such a case, you will need to log into Latch, and tap on the “Forgot my password” button (see Image 67) to receive a reminder of your password.

3.5 Example 5: "Autolock by time" and “Autolock by use”

3.5.1 Autolock by time In this example the user from Latch will establish an “Autolock by time” during a determined time. Using this option is very simple: the account or operation will be automatically locked after the amount of time set by the user, without needing to lock it manually.




The usefulness of this function is obvious when a user forgets to lock the account or operation after finishing their activities on the Nevele Bank web page. Thanks to “Autolock by time” Latch will be able to perform an automatic lock to avoid potential intrusions or actions.

Image 72: Access to the Settings menu.

Image 73: Setting up the "Autolock by time" time.

Image 74: Establishing "Autolock by time" in 5 minutes.

This example will start with a situation in which an “Autolock by time” will be set for the “Login” operation. To do so you must go to the "Autolock by time" section (image 73) included under the "Settings" option of the Latch "Menu" (image 72). On this screen the duration of the "Autolock by time" can be set. This duration will be shared by all of the services that use the "Autolock by time".

Once the duration has been defined, from the details screen of the "Login" operation you can activate or deactivate the "Autolock by time" (image 74). When “Autolock by time” is activated, Latch takes into account the time when you perform the operation ("Login" in this case), so that once the time set for the "Autolock by time" has passed, it is automatically locked.

The “Autolock by time” configuration will be retained until the user manually deactivates it.

3.5.2 Autolock by use (This option may not be available for some services or operations, even though Nevele Bank support it, the images displayed below are mockups). "Autolock by use" means that, once you have accessed your service or operation, Latch closes it again automatically. It is similar to "Autolock by time" but with a duration of 0 seconds. The advantage is that your service or operation is only available when you have unlocked it manually.

Where it is available, "Autolock by use" can be compulsory or optional. If it is set up as compulsory, you will not be able to manage it and the service or operation will be locked automatically when you have accessed it (image 75). In this case the "Schedule lock" option will disappear from the detail view, since the very nature of "Autolock by use" makes the function of the "Scheduled lock" option impossible.

Where it is optional and it is you who decides whether or not to use "Autolock by use", the new option will appear between "Autolock by time" and "Scheduled lock" (image 76).




Image 75: "Autolock by use" mandatory. Image 76: "Autolock by use" optional. Image 77: Autolocks deactived by the “Scheduled lock” option.

It's important to note that neither “Autolock by time” nor "Autolock by use" can be used together with the “Scheduled lock” seen in the previous example. You can see that the "Scheduled lock" option deactivates when either of the two types of autolock are activated and viceversa (see images 76 and 77). Therefore, it is not possible to simultaneously establish a “Scheduled lock” and any of the autolock.

3.6 Example 6: Inherited locking for operations on a digital account

In this example, using Latch you will lock an operation that in turn has internal operations.

When you lock an operation that in turn has internal operations all of these will go to “locked” status, regardless of their previous status. If you lock the entire account, the internal operations that it contains will have the status “locked”.

This example will start from the internal operations of Nevele Bank, specifically from the “Transfers” operation (image 78). After accessing the internal operations you will drag the slider control to lock all available transfers. (image 79).

After toggling this control both the internal operation “LocalTransfer” and “InterantionalTransfer” will be locked even though the status of the button located to the right of each operation will retain its previous status (image 80).

Additionally text describing the situation will be displayed: “Access to sub-operations has been disabled. To access or adjust them, remove the lock.”




Image 78: Accessing the details of the "Transfers" operation.

Image 79: Control to activate “Total lock”.

Image 80: “Total lock” of all “Transfers” operations.

As can be seen after reading this text, the “Total lock” mode implies that the details configured for each operation, at the moment are not valid. This means that even though the operations “LocalTransfer” or “InternationalTransfer” were configured in a “Schedule lock” or an “Autolock by time” they will not be taken into account, since “Total lock” mode will override them.

Additionally, you won't have the option to access any of these operations independently, since they will be disabled until you deactivate “Total lock” mode.

When unlocking the "Total lock enabled", all states ("locked” or “unlocked”) and characteristics of each operations (“Autolock by time”, "Autolock by use", “Scheduled lock”, “One-time password”) will revert to their previous states (before toggling the "Total lock enabled" on).

3.7 Example 7: Unpairing the Nevele Bank digital account

The unpairing of an account means that the protection given by Latch is lost. This is a critical operation, since by losing the protection that Latch provides, the account will always be open to potential intrusions. Because of this, many services (Nevele Bank included), have added an operation to the app that locks and unlocks the unpairing of the account, thus preventing a potential intruder from unpairing your account and causing the loss of the protection given by Latch.

In this last example, you will lock the unpairing of your account through the app with the “Latch Unpair” operation (see Image 81), and then you will try to perform the unpairing. You can do this from the same section as the pairing, by tapping on the user name at the top right of the window, and then on the “Latch Service” link.

After that, a new page will show indicating that you are paired with Latch, and your Latch identifier and a button with the text “UNPAIR YOUR ACCOUNT”, which you will need to tap to unpair the account, will be displayed (see Image 82).




Image 81: Locking the unpairing of the Nevele account.

Image 82: Attempted unpairing of the account.

After tapping on that button, you will receive a notification that there has been an attempted access to a locked operation, and a message will be displayed on the website indicating that the operation has been locked.

Image 83: Notification of attempted unpairing of the

account.

Image 84: Warning that the unpairing operation is locked.

In case you are sure that you want to unpair your Nevele Bank account, you must unlock this operation and then tap on the “UNPAIR YOUR ACCOUNT” button.

Coherently, when you perform an unpairing, all the settings you had established through Latch are lost.




After confirming that the final unpairing has been confirmed, you will receive a notification that the account has been unpaired (image 85) and Nevele Bank will disappear from the list of accounts (image 86), the previously shown welcome message will appear if the user did not have a paired account (image 87).

Image 85: Notification that the Nevele Bank account has been unpaired.

Image 86: Appearance of Latch after unpairing the Nevele Bank account, if

other account is paired.

Image 87: Appearance of Latch after unpairing the account, if no other

account is paired.

AFTER UNPAIRING, THE USER MAY ACCESS THEIR ACCOUNT AND PERFORM OPERATIONS, IN THE EXACT SAME AS BEFORE THEY PAIRED IT WITH LATCH. THE DISADVANTAGE WILL BE THAT YOU HAVE LOST THE ADDITIONAL LAYER OF SECURITY THAT LATCH PROVIDES.




4 SERVICE PROVIDER ACTIONS The service provider is the one who offers the service to the users, and the one who has set up Latch and some of the characteristics which this offers such as an additional security system for the service. It is the service provider who indicates whether or not this supports a second security factor, whether internal operations are available or whether the service allows “Autolock by use”.

4.1 Locking and unlocking by the service administrator

The service administrator has the ability to lock or unlock your operations in Latch, in the same way that we would do it by smartphone.

This option is useful for many different situations, for example if you need to access a service that we have locked, and you don't have the option to unlock it from your Latch account on the phone or for other reasons (loss, damage, theft, etc.), if the administrator is performing maintenance on the service servers, if you need to lock an operation that you know you have unlocked, etc.

In any of these cases you can contact the service provider to request that it unlock or lock it.

The actions performed by providers, are easily identified because they appear in orange on the mobile application.

Image 88: Notification that the service provider has in some way modified the account latches.

Image 89: Actions performed by the service administrator are highlighted in orange. The orange mark indicates

Nevele Bank includes an operation modified by the service administrator.

You can lock and unlock your services and operations as usual at any time. In such a case, the orange notices disappear, as they are just an indication that the service provider has modified one or more latches of the service.




4.2 Disabling and restoring the service

It may occur that the service provider has temporarily disabled Latch protection. This situation may arise at any time, that is, just when you have paired, or the service has already been paired and is in full operational mode.

In any case you will be informed by telephone and advised to contact your service provider and provide him or her with a code to be shown on the notification itself. The service provider contact details were given at the time and appear at the bottom of the notification.

When Latch is disabled the service and its content are unlocked, so the additional security provided by Latch is lost, and it will appear in the list of services in a transparent tone

If the service is later enabled, you will receive notification of the new situation. After restoring the service, configurations set for each of the operations (Autolocks, scheduled locks, one-time password, etc.) are restored.

Image 90: Notification of service disabled in full operational mode

Image 91: Transparent tone and unlocking of the disabled service

Image 92: Notification that the service has been restored




5 LATCH OPTIONS AND CUSTOMIZATION

5.1 Renaming and reordering services and operations

You can change the name of services or operations on your mobile device. To do this you just need to access the service detail display, press down on the name which appears at the top and rename it. To change the name of an operation you should access the detail display of the same and press down on the name of the operation. This change will only affect the service or operation within the Latch application. If you pair the service again in the future, both the service and the operations will reappear with their original names.

Image 93: Changing the name of operation Transfers by "bank transfers"

Image 94: Reordering operations. Moving Credit Cards to the first position.

You can change the position of a service or operation in a list to place it where you wish. To do this, simply press down on the service or operation and then move it up or down (see image 94).

5.2 Contextual options of services and operations

Access to these options will be slightly different depending on the platform used:

On Android, BlackBerry and Firefox OS, you can access these options by tapping on a service or operation and holding for a few seconds.

On iOS and Windows Phone, you can access these options by sliding a service or operation to the right.

Available options depend on whether you are accessing from a service or from an operation. If you access from a service, options also vary depending on whether or not that service includes operations. There are four available options (Rename, Move to, Silence and Log).




Image 95: Contextual options of the Nevele Bank service on Android.

Image 96: Contextual options of the Nevele Bank service on iOS.

Available options depend on whether you are accessing from a service or from an operation. If you access from a service, options also vary depending on whether or not that service includes operations. There are four available options (Rename, Move to, Silence and Log).

5.2.1 Rename It is the other way of renaming services and operations, and it is available in both of them. In the event that you choose a very long name, suspension dots appear at the end of it. The name must always include some text, otherwise the original name will be the one displayed.

Image 97: Accessing the “Rename” option. Image 98: Renaming the “Nevele Bank” service “Banco Nevele”.




5.2.2 Move to Only available in services, it allows you to move services to groups or to create groups. The aim is that you have the services organized at your own discretion. Its functioning is similar to that between files and directories. You cannot create groups within groups and, in the event that you delete a group that included services, these services would fall outside the group, as they previously did.

Image 99: Accessing the “Move to” option.

Image 100: Creating the “Banking institutions” group.

Image 101: “My Nevele Bank” already included in the “Banking institutions”

group, along with the “Cajamar Bank” service.

5.2.3 Silence Available both in operations and in services, if active, a crossed-out bell icon is displayed next to

the name. This option prevents the receipt of notifications of “Attempted access” or “Service accessed” regarding that service or operation.

Image 102: Accessing the “Silence” option. Image 103: Icon for the “Silence” option.




5.2.4 Log Available in services without operations as well as in operations (provided that such operations do not include internal operations). This option displays a history of the events carried out with the service or the operation, and their number.

You can access the Log window either from the context menu or with the button at the top of the details view.

The Log window is divided into three distinct parts:

The upper part of the window includes buttons to set the time interval and the events you want to include in the history. This shows all events for the current day by default. An icon and a color identify each event.

The central part includes a history with each of the events carried out, plus the date and time when they took place.

The bottom part includes a button to display usage statistics. It basically shows the history data in numeric mode.

Image 104: Accessing the Log window of the InternationalTransfer operation

from the context menu.

Image 105: Log window buttons, event history between days 16/02/2016 and

16/03/2016, and Statistics button.

Image 106: Events available that can be accessed via the flag-shaped

button.

5.3 The Latch lateral menu

Latch's side menu mainly contains setup options for Latch, and information regarding its use. Additionally, it displays the name of the session that you used to access Latch, and gives you the option to log out, making it necessary to re-enter your username and password to log in again.

From this menu various Latch screens can be accessed, and this will always be done using the button located in the upper right corner.




Image 107: View of the side menu. Image 108: Access from the home page.

Image 109: Access from paired accounts.

Image 110: Access from operations on paired accounts.

Image 111: Access from account details or operations.

Image 112: Access from the instances window.

The options displayed on the side menu are the following:

Setttings: In the following image, we can see 4 different sections that are perfectly defined, which are explained below:




Image 113: Options available under the "Settings" section.

1. Notification sounds: Activating this option will make Latch notifications audible when they are received while the phone is locked. If the phone is unlocked the notification will be received, but it will not be audible. These notifications can be any of those previously seen in the above examples.

2. Report access to unlocked services: By activating this option you will receive a notification when you access a service that is paired with Latch. This service may be accessing the account itself or an internal operation. In this notification a warning icon will appear under the service logo and button for locking it.

Thanks to this option you will be able to know at any time if your service is being accessed, and you can lock it at any time.

Image 114: Unlocked "Login" operation. Image 115: Notification received by accessing Nevele Bank while the operation is unlocked.




3. Ask for password: Through this option you can indicate how often Latch will request your username and password.

The default value is “Never”, for this reason when you access Latch for the first time you will no longer need to enter your username and password, even when you turn off your mobile device. Thanks to this option you can add an additional layer of security when accessing your Latch account.

If you select the “Always” option (see image 116), you will need to enter your password each time you attempt to access Latch (see image 117). Also, if you receive a notification regarding an access attempt, whether this was or was not authorized, in the notification there will not be any button for performing the corresponding action (see image 118). In this way, you can be sure that no action will be taken unless you have previously accessed Latch.

Image 116: Option for Latch to always request your password.

Image 117: Password request after selecting the "Always" option.

Image 118: Notification without a button.

4. Autolock time: This option which was shown previously in example 5, is used to set the "Autolock by time" time for all of the services (image 73).

About Latch: Simply displays a summary of Latch functions. It also lets you see the product version (see image 119).

Tutorial: This tutorial shows a series of 9 screens that summarize Latch's operation (see image 120).

Help: Contains two buttons from which you can access the answer to any question you have regarding Latch (see image 121).

You can find the answer to almost all of your questions on the Latch website, specifically under the “Help” section (see image 123). You can access this section on your cellphone using the first button. If the “Help” section does not answer your question, you may directly contact Telefónica Digital España by email to ask your question by using the second button. In that same email you can include your suggestion and opinions of the product.

Terms of use: On this screen the Latch web pages can be accessed, which will display the legal information available for all of the users who wish to use Latch. This information includes Latch features related to its legal aspects (see image 122).




Image 119: "About Latch" screen. Image 120: Second "Tutorial" screen. Image 121: "Help" screen.

Image 122: "Privacy and Terms" screen.

Image 123: Access help on our website: https://latch.elevenpaths.com/.

Image 124: “Security adjustments” screen with options “Sessions Management” and “Change

Password”.

Security settings: This screen has two different parts:

1. Session Management: Here you can see which devices are currently logged in with your Latch account. Data from the current mobile device are displayed at the top; these data include the operating system and device type. Then, the “OTHER DEVICES” section is displayed, including a list of devices on which the account is currently active, either because another user has logged into it or because you forgot to log off on such devices.




This list also shows the operating system, the type of device in which the login took place, and even its last use. From each of the list elements, you can remotely log off on each of these devices using the cross-shaped button. You can simultaneously close all sessions in every device (except your own), using the “CLOSE ALL” button at the bottom of the list (see Image 126).

In the event that the same session is logged in on a device, you will receive a notification indicating the specifications of the device detected (see Image 125).

Image 125: Notification warning that your session has been started on

another device.

Image 126: Warning that sessions will be logged off in the other devices.

Image 127: "Reset password" screen.

2. Change password: From this screen you may access your password for accessing Latch. This password is the same one that you indicated when you created your account (see image 10). To change your password you should enter the email address that you use to access Latch, and at that address you will receive information on the steps that you should take (see image 127).

If you change your password you will be logged out of any open Latch sessions on your mobile devices, and you will have to enter the new password when you access Latch again.




6 CUSTOMIZING ACCESS ENVIRONMENTS AND CREATING INSTANCES IN NEVELE BANK

There are two functionalities in Nevele Bank that will extend Latch’s versatility. With them you can protect your accesses via certain environments, as well as protect instances of certain elements.

6.1 Customizing access environments

Usually, all users have their own devices (desktop computers, mobile phones, tablets, etc.) –which include one or more browsers (Internet Explorer, Mozilla Firefox, Google Chrome, Opera, Safari, Konqueror, etc.)–, with which they access their own digital accounts (bank, email, social networks, etc.).

The concept of "access environment" in this guide refers to the inseparable couple "device-browser".

The purpose of customizing access environments is to be able to identify each of these environments in order to lock or unlock them like we do with services and operations.

Nevele Bank allows you to identify each of your access environments. In order to do so, pairing with Nevele Bank is necessary.

To customize an access to Nevele Bank, simply log in with a particular browser (Opera in this case) –the floating window “New device detected” will appear after logging in–, enter a name that describes such access, (“Access Opera” in this example) and click in the “Trust Device” button.

Image 128: Creating a custom “access environment” with the “Opera” browser.




Then, the new internal operation “Access Opera” appears in the Nevele Bank “Login” operation. This window also shows the “Unknown Devices” operation, used to lock access to Nevele Bank from any access environment that has not been established.

Image 129: Accessing the “Login” internal operations. Image 130: New access created.

From now on you can lock access to Nevele Bank from any computer except on the one on which you created this access, provided that you access with the Opera browser. This allows you to further secure your access, as only you know how and only you have the computer and browser needed for the access.

Image 131: Locking access to Nevele from all sites except from the Opera browser on the computer on which

you created the access.

Image 132: Message from Nevele after an attempted access with the Internet

Explorer browser.

Image 133: Notification of attempted access via Internet Explorer.




However, access from the Opera browser and from the same computer that created such access is allowed (see Image 135).

Image 134: Access granted from Opera. Image 135: Successful access to Nevele Bank with Opera.

Once created, you can delete the desired access environments from the “Explore your devices” section. You can access this section by tapping on your Nevele Bank username at the top, and then on the “Protect your account” menu (see Image 136).

A table listing the names of all the settings you've created, the date and time of the last access and a button to remove that environment will be displayed (see Image 137). Once an environment has been deleted, it disappears from the Latch app.

Image 136: Accessing the access environments created. Image 137: Table with created access environments and their characteristics.




6.2 Creating instances

Instances are somewhat similar to a “custom operation” that allows each Nevele Bank account to be unique in relation to the operations it protects. The notion of instance can be extrapolated to bank credit cards: “Every bank user has a certain number of cards, and each of the cards is completely different from the others.”

With Nevele Bank you can create your own credit cards and these will appear in Latch, in the same way that a real bank could provide you with a number of cards that you would have to protect one by one

In order to create an instance (credit card) in Nevele Bank, you must click on the Nevele Bank logo at the top left of the window, then click on the “Operations” section, on the “Credit Cards” link, and finally on the “REQUEST CARD” button.

Image 138: Creating a custom instance.

After following these steps, a credit card is created in Nevele Bank, and such card appears as a sub-operation of “Credit Cards” in the Latch app (see image 139). This sub-operation’s format is “Card *XXXX”, where XXXX equals to the last 4 card numbers (in this case, 0221).

Image 139: Created instance. Image 140: Nevele Bank credit card.




From this point, you can check the status of the card by simply clicking on the “TEST PAYMENT” button, which depending on whether or not the card is locked in the app, displays one message or another. If it is locked, you will receive a notification of attempted access.

Image 141: Card locked. Image 142: Message with locked credit card. Image 143: Notification of locked card.

You can add as many instances (cards) as you like and they will all show in the app. You can remove them one by one by clicking on the “REMOVE” button.

Image 144: Created instances. Image 145: Nevele Bank credit cards.




7 APPENDIX I: PROTECTION WITH TOTP TOTP stands for Time-based One Time Passwords. They are basically similar to OTPs or one-time passwords, but they also have a limited duration. After this time the password is no longer valid.

Latch allows to include in its list of services those that support TOTP as the second authentication factor. Examples of these services are some as popular as Gmail, Facebook or Dropbox.

These services can coexist perfectly with the paired services (such as Nevele Bank), however, Latch only provides the TOTP necessary to access these services, and the rest of the Latch configurations that are already covered in this manual are not available for them.

For example, options detailed in section 3 (“Total lock”, “Scheduled lock”, “Autolock by use” and “Autolock by time”) do not exist in TOTP services.

However, options detailed in section 5 (“Rename” and “Move to”) are available, as well as a new one: “Delete”.

In this manual we will learn how to protect our Dropbox account with a TOTP that we will include in Latch. The protection of other services that use TOTP is generally very similar, so in essence, the steps to be performed are the same that those explained here.

7.1 Inclusion of the Dropbox TOTP in Latch

The first thing to do is to access your Dropbox account, specifically the “Security” tab in the “Settings” menu. In this tab you have to enable the “Two-step verification” option, which by default appears as “Disabled”.

Image 146: Enabling the two-step verification in Dropbox.

After enabling this type of verification, Dropbox displays a descriptive message of the TOTP itself. The “First steps” button gives way to the whole process that, for security reasons, forces us to re-enter the access password to Dropbox.

This behavior is common in sites where TOTP is used. Precautions are taken to avoid potential phishing attacks.




Image 147: General explanation of the two-step verification.

Image 148: User identity security verification.

After verification from Dropbox that the user is correct, you will be asked how would you like to receive the security codes (TOTP). Here you have to choose the option that refers to the mobile app (default option), since you will use Latch to access these security codes.

This is something that Dropbox does not know and that it has no relevance to it whatsoever. Dropbox simply generates the TOTP from time to time (30 seconds) and it does not care how

the user gets those codes.

Image 149: Choosing the mobile app (in our case, it will be Latch) as recipient of security codes.




In Dropbox (and in the main sites susceptible to be protected with TOTP) you can configure TOTP authentication in two ways: including a secret key or scanning a QR code.

Image 150: Choosing the TOTP authentication configuration.

Latch adapts to this circumstance and supports the inclusion of the TOTP in those two ways.

Image 151: Adding a new service in Latch.

Image 152: Specifying that the service to be added is a TOTP.

Image 153: Choosing one of two forms of authentication.

After making any of these inclusions, the verification is then activated and therefore we will need the TOTP to access Dropbox.




7.1.1 Including the Dropbox TOTP in Latch using the secret key In this case you must tap on the “Enter key manually” button in the Latch app, and click on the “Enter your secret key manually” link on the Dropbox website.

Image 154: Enter key manually. Image 155: Choosing a manual key entry.

After this, the website will display a key to be introduced in the Latch app. The values “Service name” and “Account name” are customizable.

Image 156: Entering the key manually. Image 157: Display of the key in Dropbox.




After entering the secret key, you will receive a notification on your mobile device indicating that the TOTP service has been added. After closing the notification, it will be displayed as one more service in the list, with a “PIN” button that will show the TOTP necessary for validation (see image 159).

Image 158: Notification that the TOTP has been created.

Image 159: TOTP service added together with another service.

Image 160: Dropbox TOTP code.

When you tap on this button, the TOTP code is displayed, which consists of a 6-digit number. To the right of it you will see a clock-shaped circle, which indicates the duration of the TOTP (see image 160).

In theory, when the time is up, the TOTP is no longer valid, however, because its duration is very short, some services allow the code to be valid for a few more seconds. In Latch, when

three-quarters of the time have elapsed, both the code and the clock are highlighted in red.

Once the TOTP has been added to Latch, click on the “Next” button on the web page (see image 157). After this, Dropbox requires that a TOTP is entered to verify that the “two-step verification” process has been indeed successfully completed. The next step therefore is to tap on the PIN button of the Dropbox TOTP (see image 160) and enter that code in the web page (see image 161).

Image 161: Entering the TOTP to verify that the two-step verification has been configured correctly.




When using TOTP, it is imperative that the date and time of the mobile device are correct. For this, their configuration on that device must be set automatically. If they have been manually

set, the process will not work.

Image 162: Invalid code because the device time was set manually.

Once the Dropbox TOTP has been verified, one last window is displayed in which we must click on the button to confirm the two-step verification.

Image 163: Final confirmation of acceptance of the two-step verification.

7.1.2 Including the Dropbox TOTP in Latch scanning the QR code The process is analogous to the previous one. In this case, you must tap on the “Scan QR code” button in the Latch app. Then, the camera application of the mobile device will be launched and we will have to frame the QR code of the web page in the camera.




Image 164: Accessing the camera on the mobile device.

Image 165: QR code to be photographed.

When the QR code is correctly detected, a window is displayed in which we can customize the username that is accessing ([email protected] in this case). A notification will then be displayed.

Image 166: Floating window to customize data. Image 167: Notification of TOTP created.

After closing the notification, it will be displayed as one more service in the list, with a “PIN” button that will show the TOTP necessary for validation (see image 159 and 160).

mailto:[email protected]




7.2 Using the Dropbox TOTP in Latch

To test the TOTP you have to log out in Dropbox and then access with your credentials as usual. The difference is that after correctly entering the credentials, Dropbox will request a code that is precisely the TOTP.

Image 168: TOTP generated. Image 169: Dropbox TOTP request.

After successfully entering the TOTP, you can access Dropbox (see image 170). In case you enter a code other than expected, Dropbox will display an error message.

Image 170: Correct access after entering the TOTP.

Image 171: Error message in Dropbox after entering an invalid TOTP.




7.3 TOTP options in Latch

The TOTP service includes a number of options in the context menu. These options are the same as those described in the “Contextual options of services and operations” section, although not all of them are included. The “Rename” option refers only to the name of the service, the text that appears under the service name and that matches the account name cannot be edited. The “Move to” option works just as if we moved a service.

7.3.1 Deleting a TOTP It is imperative to disable the “two-step verification” from the website that we are accessing (Dropbox in this case). Until this is done, you should not under any circumstances delete the TOTP from Latch.

If it is not previously disabled, and the TOTP is deleted directly from Latch, the consequences are serious. This is because to access the website, the TOTP will still be

needed, and having removed from Latch the service that was the one showing said TOTP, IT WILL NOT BE POSSIBLE TO ACCESS THE SERVICE. It is therefore essential to disable the “two-step verification” in advance and later delete the service in Latch if it is no longer wanted. Given the importance of the process, Latch warns with an informative message of what will happen before proceeding to the definitive elimination of the TOTP (see image 174).

The disabling of the service is carried out from the same website from where it was enabled. Therefore, you must access your Dropbox account, specifically the “Security” tab in the “Settings" menu. In this tab you have to disable the “two-step verification” option, which will appear as “enabled”.

Image 172: Disabling the two-step verification.

To verify that the disabling has been carried out, you have to log out in Dropbox and try to access again with your credentials. Since the “two-step verification” is disabled, you can access without the need for the TOTP.

After completing this final check, you are ready to delete the TOTP from your Latch app. This can be done with the “Delete” button of the context menu, although before the final elimination Latch will display a warning message prior to the final deletion.




Image 173: Accessing the deletion of the TOTP.

Image 174: Pre-removal warning message.

Image 175: Deletion of the TOTP completed.




8 APPENDIX 2: NOTIFICATIONS SUMMARY IN LATCH Latch notifications are very important and descriptive, as they provide information about almost every situation related to Latch taking place in the service.

To receive a notification on a mobile device, it is essential to have logged into Latch on that device. Some notifications include buttons to interact with the app, which for security reasons will not be displayed if you set option “Ask for password” to “Always”.

You may receive up to 10 different notifications from Latch, although it is likely that you never receive some of them, as they are linked to special and unusual situations.

FIGURES CHARACTERISTICS

TITLE: New service

You receive this notification when pairing with a new service. It includes two buttons:

Configure now: If the service has operations (e.g. Nevele Bank), this notification redirects you to the list of said operations (see image 30).

Configure later: It redirects you to the list of paired services (see image 29).

If the option “Ask for Password” (see image 120) is set to “Always”, said buttons are not displayed.

Image 176: New service. Image 177: New service without buttons.

TITLE: Attempted access

You receive this notification when you try accessing a service or operation locked by Latch. It includes the “Unlock service” button. If you tap on this button, it unlocks the service or operation, and thus you can try to regain access to it.


The notification can show the e-mail and telephone that the service provider established to contact them, (by default, Nevele Bank does not show them, these images are a simulation). Image 178: Attempted access. Image 179: Attempted access

without button.





TITLE: Service accessed

You optionally receive this notification when you access an unlocked service. It is especially useful to find out if an intruder knows the access credentials to your paired service.

This notification includes the “Lock service” button. When tapped on, this button locks the service or operation, which is then protected against an attempted access.


The notification can show the e-mail and telephone that the service provider established to contact them, (by default, Nevele Bank does not show them, these images are a simulation).

Image 180: Service accessed. Image 181: Service accessed without button.

TITLE: OTP

You receive this notification when requesting a one-time password because a second authentication factor has been established for that service or operation. The notification provides the one-time password.

It may be the case that the service provider customizes both the message and the one-time password.

In any case you can ask again for the password by tapping on the “Forgot my password” button (see Image 69).

Image 182: OTP. Image 183: Custom OTP.





TITLE: Modified Latch

You receive this notification when the service provider has modified the status of your latches (this can refer to the whole service or to single operations).

Any changes made by the service provider are highlighted in a bright orange color.

The notification can show the e-mail and telephone that the service provider established to contact them, (by default, Nevele Bank does not show them, these images are a simulation).

Image 184: Latch modified in the Bank Nevele service.

Image 185: Latch modified in the login operation.

TITLE: Disabled Service

You receive this notification when Latch is disabled in a service and therefore can no longer provide its protection, neither to the service nor to its operations.

You receive this notification in two different but related events. In both cases, the email and the telephone established by the service provider to contact them are displayed. In either case, you must contact the service provider and indicate them the code displayed in the notification.

The 2 cases are:

1. You had already paired the service and you receive the notification. In this case, you should indicate the code #0002 to the service provider.

2. You pair to a service and receive a notification. In this case, you should indicate the code #0001 to the service provider.

In both cases, the notification includes the “Update service list” button that redirects you to the main view in which the service will be displayed with a blur until it is restored.


Image 186: Already paired disabled service

Image 187: Disabled service without button.

Image 188: Service disabled when

pairing. Image 189: Service disabled when

pairing without button.





TITLE: Service restored

You receive this notification when a service that was previously disabled is restored, and therefore Latch can protect the service as usual.

It includes the “Update service list” button that redirects you to the main view in which the service will be displayed without the blurry effect.


Image 190: Service restored. Image 191: Service restored without button.

TITLE: Service Unpaired

You receive this notification when you unpair your service from Latch and thus you accept the loss of the additional protection provided by Latch.

It includes the “Update service list” button that redirects you to the main view in which the service is no longer displayed.


Image 192: Unpaired service. Image 193: Paired service without button.

TITLE: New Session

You receive this notification when accessing to your Latch account on another device. It is especially useful to find out if an intruder knows the access credentials to your Latch account.

The notification shows the operating system and type of the device that has logged on.

You can log off on the devices you want from the session management section.

Image 194: New session on another device.





TITLE: New service

Similar to the pairing notification. This notification is received when a TOTP Cloud is included in Latch.

The notification shows the name of the service that has been added and a description about the operation of the TOTP.

It includes a button to go to the main view.

Image 195: New TOTP service.




9 INDEX OF IMAGES Image 01: Access the Play Store. .................................................................................................................... 5

Image 02: Search for Latch. ............................................................................................................................ 5

Image 03: Install Latch. ................................................................................................................................... 5

Image 04: Accept permissions. ....................................................................................................................... 6

Image 05: Open Latch following installation. ................................................................................................. 6

Image 06: Latch icon. ...................................................................................................................................... 6

Image 07: Latch start screen. .......................................................................................................................... 6

Image 08: Latch Tutorial. ................................................................................................................................ 6

Image 09: Access registration. ........................................................................................................................ 6

Image 10: Screens where the user should enter their email address and the password for their Latch account. .......................................................................................................................................................... 7

Image 11: Email sent to the user with the link for activating their Latch account. ........................................ 7

Image 12: Screen where the user should enter their email and password after creating their Latch account. .......................................................................................................................................................... 8

Image 13: Latch start screen without any digital account paired. .................................................................. 8

Image 14: Nevele Bank Home screen. The arrow shows the location of the registration link. ...................... 9

Image 15: Creation of a new digital account at Nevele Bank, by an imaginary user. ..................................... 9

Image 16: Accessing the Latch service, from Nevele Bank. ..........................................................................10

Image 17: Accessing the digital account at Nevele Bank. .............................................................................10

Image 18: Appearance of the digital account when the user accesses it. ....................................................11

Image 19: Accessing the Latch service, from Nevele Bank. ..........................................................................12

Image 20: Accessing the page for entering the token generated by Latch. .................................................12

Image 21: Start screen, from which a Latch account can be added .............................................................13

Image 22: Screen where the pairing code is generated. ..............................................................................13

Image 23: Generated pairing code. ..............................................................................................................13

Image 24: Nevele Bank web page where the pairing code generated by Latch should be entered. ...........14

Image 25: Nevele Bank Page that shows the error message, if the user has entered an incorrect pairing code. .............................................................................................................................................................14

Image 26: Message displaying the digital account that was paired. ............................................................14

Image 27: The Nevele Bank webpage showing that the digital account has been correctly paired. ...........14

Image 28: Nevele Bank as the only paired service. ......................................................................................15

Image 29: Nevele Bank with other paired services. .....................................................................................15

Image 30: Operations available on the digital account. ...............................................................................15

Image 31: An unlocked Nevele Bank digital account. ...................................................................................16

Image 32: A locked Nevele Bank digital account. .........................................................................................16

Image 33: Locking Nevele Bank with Latch. ..................................................................................................17




Image 34: Attempting to access a digital account at Nevele Bank. ..............................................................17

Image 35: Notification of the Nevele Bank unauthorized access attempt. ..................................................17

Image 36: Message stating that the Nevele Bank digital account cannot be accessed. ..............................17

Image 37: Unlocking Nevele Bank by the user with Latch. ...........................................................................18

Image 38: Appearance of the Nevele Bank digital account when it is correctly accessed by the user "Antonio García Cepeda”. .............................................................................................................................18

Image 39: Accessing available operations at Nevele Bank. ..........................................................................19

Image 40: List of operations on the Nevele Bank digital account. ...............................................................19

Image 41: Operations included under the “Transfers” operation. ...............................................................19

Image 42: Locking local transfers at Nevele Bank. .......................................................................................19

Image 43: Access to local transfers by the user on the Nevele Bank webpage. ...........................................19

Image 44: Start the transfer supposedly locked by Latch. ............................................................................20

Image 45: Access attempt of the “LocalTransfer” operation. ......................................................................20

Image 46: Indication from Nevele Bank that it is not possible to perform the indicated operation, since it has been locked by Latch. .............................................................................................................................20

Image 47: Unlock the operation from the notification. ................................................................................21

Image 48: Unlock the operation from the name of the operation. ..............................................................21

Image 49: Unlock the operation from its detail view. ..................................................................................21

Image 50: Transfer performed correctly after unlocking it from Latch. .......................................................21

Image 51: Access other options for “LocalTransfer”. ...................................................................................22

Image 52: Detailed view of the options available for “LocalTransfer”. ........................................................22

Image 53: Locked status from 12:00 to 00:00. Current status: locked. ........................................................23

Image 54: Locked status from 19:00 to 07:00. Current status: unlocked. ....................................................23

Image 55: Clock icon on the operation with the "Scheduled lock". .............................................................23

Image 56: Locking the operation from 12:00 to 00:00. ................................................................................23

Image 57: Locked transfer because it was attempted during an unauthorized time. ..................................23

Image 58: Locking the operation from 00:00 to 12:00. ................................................................................24

Image 59: Transfer performed during a schedule allowed by Latch. ...........................................................24

Image 60: Access the operation details view for “InternationalTransfer”. ..................................................24

Image 61: “One-time password” in “Off” status. .........................................................................................24

Image 62: “One-time password” in “On” status. ..........................................................................................24

Image 63: Start of the supposed transfer which will request the "One-time password". ...........................25

Image 64: Latch Notification. ........................................................................................................................25

Image 65: Password request from Nevele Bank. ..........................................................................................25

Image 66: Different notifications from those found on Latch. .....................................................................26

Image 67: Access the token from Latch, clicking on the button. ..................................................................26

Image 68: Token generated for the “One-time password”. .........................................................................26




Image 69: Entering the password received on the smartphone. .................................................................26

Image 70: Result of having correctly entered the token. .............................................................................27

Image 71: Result of having incorrectly entered the password. ....................................................................27

Image 72: Access to the Settings menu. .......................................................................................................28

Image 73: Setting up the "Autolock by time" time. ......................................................................................28

Image 74: Establishing "Autolock by time" in 5 minutes. .............................................................................28

Image 75: "Autolock by use" mandatory. .....................................................................................................29

Image 76: "Autolock by use" optional. .........................................................................................................29

Image 77: Autolocks deactived by the “Scheduled lock” option. .................................................................29

Image 78: Accessing the details of the "Transfers" operation. ....................................................................30

Image 79: Control to activate “Total lock”. ..................................................................................................30

Image 80: “Total lock” of all “Transfers” operations. ...................................................................................30

Image 81: Locking the unpairing of the Nevele account. .............................................................................31

Image 82: Attempted unpairing of the account. ..........................................................................................31

Image 83: Notification of attempted unpairing of the account....................................................................31

Image 84: Warning that the unpairing operation is locked. .........................................................................31

Image 85: Notification that the Nevele Bank account has been unpaired. ..................................................32

Image 86: Appearance of Latch after unpairing the Nevele Bank account, if other account is paired. .......32

Image 87: Appearance of Latch after unpairing the account, if no other account is paired. .......................32

Image 88: Notification that the service provider has in some way modified the account latches. .............33

Image 89: Actions performed by the service administrator are highlighted in orange. The orange mark indicates Nevele Bank includes an operation modified by the service administrator. ................................33

Image 90: Notification of service disabled in full operational mode ............................................................34

Image 91: Transparent tone and unlocking of the disabled service .............................................................34

Image 92: Notification that the service has been restored ..........................................................................34

Image 93: Changing the name of operation Transfers by "bank transfers" .................................................35

Image 94: Reordering operations. Moving Credit Cards to the first position. .............................................35

Image 95: Contextual options of the Nevele Bank service on Android. .......................................................36

Image 96: Contextual options of the Nevele Bank service on iOS. ...............................................................36

Image 97: Accessing the “Rename” option. .................................................................................................36

Image 98: Renaming the “Nevele Bank” service “Banco Nevele”. ...............................................................36

Image 99: Accessing the “Move to” option. .................................................................................................37

Image 100: Creating the “Banking institutions” group. ................................................................................37

Image 101: “My Nevele Bank” already included in the “Banking institutions” group, along with the “Cajamar Bank” service.................................................................................................................................37

Image 102: Accessing the “Silence” option. .................................................................................................37

Image 103: Icon for the “Silence” option. ....................................................................................................37




Image 104: Accessing the Log window of the InternationalTransfer operation from the context menu. ...38

Image 105: Log window buttons, event history between days 16/02/2016 and 16/03/2016, and Statistics button. ..........................................................................................................................................................38

Image 106: Events available that can be accessed via the flag-shaped button. ...........................................38

Image 107: View of the side menu. ..............................................................................................................39

Image 108: Access from the home page. ......................................................................................................39

Image 109: Access from paired accounts. ....................................................................................................39

Image 110: Access from operations on paired accounts. .............................................................................39

Image 111: Access from account details or operations. ...............................................................................39

Image 112: Access from the instances window. ...........................................................................................39

Image 113: Options available under the "Settings" section. ........................................................................40

Image 114: Unlocked "Login" operation. ......................................................................................................40

Image 115: Notification received by accessing Nevele Bank while the operation is unlocked. ...................40

Image 116: Option for Latch to always request your password. ..................................................................41

Image 117: Password request after selecting the "Always" option. ............................................................41

Image 118: Notification without a button. ...................................................................................................41

Image 119: "About Latch" screen. ................................................................................................................42

Image 120: Second "Tutorial" screen. ..........................................................................................................42

Image 121: "Help" screen. ............................................................................................................................42

Image 122: "Privacy and Terms" screen. ......................................................................................................42

Image 123: Access help on our website: https://latch.elevenpaths.com/. ..................................................42

Image 124: “Security adjustments” screen with options “Sessions Management” and “Change Password”. ......................................................................................................................................................................42

Image 125: Notification warning that your session has been started on another device. ...........................43

Image 126: Warning that sessions will be logged off in the other devices. .................................................43

Image 127: "Reset password" screen. ..........................................................................................................43

Image 128: Creating a custom “access environment” with the “Opera” browser. ......................................44

Image 129: Accessing the “Login” internal operations. ................................................................................45

Image 130: New access created. ..................................................................................................................45

Image 131: Locking access to Nevele from all sites except from the Opera browser on the computer on which you created the access. ......................................................................................................................45

Image 132: Message from Nevele after an attempted access with the Internet Explorer browser. ...........45

Image 133: Notification of attempted access via Internet Explorer. ............................................................45

Image 134: Access granted from Opera. ......................................................................................................46

Image 135: Successful access to Nevele Bank with Opera. ..........................................................................46

Image 136: Accessing the access environments created. .............................................................................46

Image 137: Table with created access environments and their characteristics. ..........................................46

Image 138: Creating a custom instance. .......................................................................................................47




Image 139: Created instance. .......................................................................................................................47

Image 140: Nevele Bank credit card. ............................................................................................................47

Image 141: Card locked. ...............................................................................................................................48

Image 142: Message with locked credit card. ..............................................................................................48

Image 143: Notification of locked card. ........................................................................................................48

Image 144: Created instances. ......................................................................................................................48

Image 145: Nevele Bank credit cards............................................................................................................48

Image 146: Enabling the two-step verification in Dropbox. .........................................................................49

Image 147: General explanation of the two-step verification. .....................................................................50

Image 148: User identity security verification. .............................................................................................50

Image 149: Choosing the mobile app (in our case, it will be Latch) as recipient of security codes. ............50

Image 150: Choosing the TOTP authentication configuration. .....................................................................51

Image 151: Adding a new service in Latch. ...................................................................................................51

Image 152: Specifying that the service to be added is a TOTP. ....................................................................51

Image 153: Choosing one of two forms of authentication. ..........................................................................51

Image 154: Enter key manually. ...................................................................................................................52

Image 155: Choosing a manual key entry. ....................................................................................................52

Image 156: Entering the key manually. ........................................................................................................52

Image 157: Display of the key in Dropbox. ...................................................................................................52

Image 158: Notification that the TOTP has been created. ...........................................................................53

Image 159: TOTP service added together with another service. ..................................................................53

Image 160: Dropbox TOTP code. ..................................................................................................................53

Image 161: Entering the TOTP to verify that the two-step verification has been configured correctly. .....53

Image 162: Invalid code because the device time was set manually. ..........................................................54

Image 163: Final confirmation of acceptance of the two-step verification..................................................54

Image 164: Accessing the camera on the mobile device. .............................................................................55

Image 165: QR code to be photographed. ...................................................................................................55

Image 166: Floating window to customize data. ..........................................................................................55

Image 167: Notification of TOTP created. ....................................................................................................55

Image 168: TOTP generated. ........................................................................................................................56

Image 169: Dropbox TOTP request. ..............................................................................................................56

Image 170: Correct access after entering the TOTP. ....................................................................................56

Image 171: Error message in Dropbox after entering an invalid TOTP. .......................................................56

Image 172: Disabling the two-step verification. ...........................................................................................57

Image 173: Accessing the deletion of the TOTP. ..........................................................................................58

Image 174: Pre-removal warning message. ..................................................................................................58

Image 175: Deletion of the TOTP completed. ..............................................................................................58




Image 176: New service. ...............................................................................................................................59

Image 177: New service without buttons. ....................................................................................................59

Image 178: Attempted access.......................................................................................................................59

Image 179: Attempted access without button. ............................................................................................59

Image 180: Service accessed.........................................................................................................................60

Image 181: Service accessed without button. ..............................................................................................60

Image 182: OTP. ............................................................................................................................................60

Image 183: Custom OTP. ..............................................................................................................................60

Image 184: Latch modified in the Bank Nevele service. ...............................................................................61

Image 185: Latch modified in the login operation. .......................................................................................61

Image 186: Already paired disabled service .................................................................................................61

Image 187: Disabled service without button. ...............................................................................................61

Image 188: Service disabled when pairing. ..................................................................................................61

Image 189: Service disabled when pairing without button. .........................................................................61

Image 190: Service restored. ........................................................................................................................62

Image 191: Service restored without button. ...............................................................................................62

Image 192: Unpaired service. .......................................................................................................................62

Image 193: Paired service without button. ..................................................................................................62

Image 194: New session on another device. ................................................................................................62

Image 195: New TOTP service. .....................................................................................................................63




10 RESOURCES For more information about how to use Latch and testing more free features, please refer to the user guide in Spanish and English:

1. Guía del usuario de Latch con Nevele Bank. 2. Latch user´s guide for Nevele Bank.

You can also access the following constantly expanded documentation:

Manuals in Spanish and English for integrating and using Latch with the available plugins, at the Latch website and via the ElevenPaths Slideshare channel.

Videos with subtitles in Spanish and English for integrating and using Latch with the available plugins on ElevenPaths' YouTube and Vimeo channels.

Manuals for integrating and using Latch in the organizations that have already implemented it (Movistar, Tuenti, UNIR, USAL, etc.), at the Latch website and via the ElevenPaths Slideshare channel.

Information about Latch API at the Latch website.

https://latch.elevenpaths.com/www/public/documents/howToUseLatchNevele_ES.pdf

https://latch.elevenpaths.com/www/public/documents/howToUseLatchNevele_EN.pdf

https://latch.elevenpaths.com/www/developers/resources

http://es.slideshare.net/elevenpaths

https://www.youtube.com/playlist?list=PLwRVFywsfVOClvH-W5jvgOuRu9WXHlBmf

http://vimeo.com/channels/830801

https://latch.elevenpaths.com/www/where.html

http://es.slideshare.net/elevenpaths

https://latch.elevenpaths.com/www/developers/doc_api




The information disclosed in this document is the property of Telefónica Digital España, S.L.U. (“TDE”) and/or any other entity within Telefónica Group and/or its licensors. TDE and/or any Telefonica Group entity or TDE’S licensors reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use and sales rights thereto, except to the extent said rights are expressly granted to others. The information in this document is subject to change at any time, without notice.

Neither the whole nor any part of the information contained herein may be copied, distributed, adapted or reproduced in any material form except with the prior written consent of TDE.

This document is intended only to assist the reader in the use of the product or service described in the document. In consideration of receipt of this document, the recipient agrees to use such information for its own use and not for other use.

TDE shall not be liable for any loss or damage arising out from the use of the any information in this document or any error or omission in such information or any incorrect use of the product or service. The use of the product or service described in this document are regulated in accordance with the terms and conditions accepted by the reader.

TDE and its trademarks (or any other trademarks owned by Telefonica Group) are registered service marks.

PUBLICATION:

November 2016

elevenpaths.com Blog.elevenpaths.com @ElevenPaths Facebook.com/ElevenPaths YouTube.com/ElevenPaths

At ElevenPaths we have our own way of thinking when we talk about security. Led by Chema Alonso, we are a team of experts who are passionate about their work, who are eager to redefine the industry and have great experience and knowledge about the security sector.

Security threats in technology evolve at an increasingly quicker and relentless pace. Thus, since June 2013, we have become a startup company within Telefónica aimed at working in an agile and dynamic way, transforming the concept of security and, consequently, staying a step ahead of our attackers.

Our head office is in Spain, but we can also be found in the UK, the USA, Brazil, Argentina and Colombia.

If you wish to know more about us, please contact us at:

manual of latch app. using with nevele bank

Technology

pairing latch

nevele bank digital

latch user account

latch app

manual of latch

pairing page

pairing code

inherited locking