Overview
The Security Fence and Multi-Factor Authentication (MFA) form the core of Graphite Connect’s data protection layer. While the Security Waterfall verifies that data is correct, this infrastructure ensures that the data is protected and only accessed by authorized individuals.
- Multi-Factor Authentication (MFA): The primary mechanism used to isolate and mask sensitive data. It requires providing a passcode to confirm the possession of a trusted device before data can be revealed or modified.
- The Security Fence: Refers to high-risk data points that are "fenced off." Any change to data within the Security Fence automatically triggers the Security Waterfall to ensure immediate re-verification and protection of the new information.
Multi-Factor Authentication (MFA): Isolation & Masking
MFA is designed to prevent "data scraping" and accidental exposure of sensitive information by isolating it behind a verification layer.
Data Masking
By default, any data point protected by MFA is masked in the Graphite UI. Users will see a series of asterisks (e.g., **** 5678) rather than the full value. This applies to:
- Bank Account Numbers (DAN/IBAN)
- Tax Identification Numbers (EIN/SSN/VAT)
- Uploaded sensitive documents (Voided checks, Bank letters, Tax forms)
Click-to-Unmask Workflow
To view protected data, an authorized user must click the "unmask" icon (the eye icon). This action triggers an immediate MFA challenge, requiring a passcode from a trusted device. The data remains visible only for the duration of the active session or until the user navigates away.
The Security Fence: Triggering the Waterfall
The Security Fence serves as an automated monitoring perimeter enclosing high-sensitivity data fields in a supplier's profile. Because this data is critical to payment integrity, it cannot be changed without re-validation.
"Fenced" Data Points
The Security Fence surrounds data that, if fraudulent, poses the highest risk to the customer:
- Bank Account Holder Name (Beneficiary)
- Bank Account Numbers (DAN/IBAN)
- Bank Documents
Modification Protocol
When a user modifies data within the Security Fence:
- MFA Requirement: The user must first confirm their identity via MFA to make the edit.
- Waterfall Initiation: The moment the change is saved, the system automatically initiates the Security Waterfall (e.g., Network Protection, Beneficiary Checks, or IDV) to verify the new data.
- Status Reset: The account status may revert to "Pending" or "Under Review" until the waterfall checks are successfully completed.
Learn more about Graphite’s Security Waterfall by viewing our Graphite Security, Verification, and Validations article
Supported MFA Methods
Graphite prioritizes high-assurance verification methods to ensure that even if a user's password is stolen, the sensitive data remains secure.
| Method | Status | Description |
| Authenticator Apps | Recommended | TOTP apps like Duo, Google Authenticator, or Microsoft Authenticator. |
| SMS (Text Message) | Supported | A 6-digit code sent via text to a verified mobile device. |
| Email 2FA | Deprecated | No longer supported. Email is considered insecure due to high compromise rates. |
Protected Data and Actions
MFA is triggered whenever a user attempts to interact with data classified as "Sensitive" by Graphite or the Customer.
Sensitive Data Categories:
- Banking Details: Full account numbers and bank-issued verification documents.
- Tax Information: Full Tax IDs and signed IRS/International tax forms.
- Identity Records: Government ID scans and biometric "liveness" results.
Protected Actions:
- Unmasking sensitive data for viewing.
- Modifying or adding new banking information.
-
Managing user permissions or Admin settings.
Policy and Enforcement
This infrastructure is a mandatory part of the Graphite network and cannot be bypassed.
For Suppliers:
- Mandatory Enrollment: Suppliers with access to sensitive data must set up MFA during onboarding.
- Identity Verification (IDV) Link: While a customer can turn off IDV (Government ID checks), they cannot turn off MFA for suppliers.
For Customer Users:
- Role-Based Access: Users in sensitive, permission-based roles are required to use MFA, while those in roles without sensitive data access are not required to complete MFA during standard login.
- SSO Integration: Single Sign-On (SSO) provides secure access to the platform, but it is not a substitute for MFA. Even with SSO, users must complete an MFA challenge to access or modify fenced data.
Troubleshooting and Support
- Lost Devices: Users who lose their MFA device must undergo identity re-verification with Graphite Support before a reset is granted.
- Restricted Access: If a user repeatedly fails MFA challenges, their account is temporarily locked to prevent brute-force attacks.