Consumer MFA Implementation Attestation

Application: WTD (Personal/Family Edition)

This document serves as a formal attestation that Multi-Factor Authentication (MFA) is strictly enforced for all users of the WTD application, particularly within the workflow where the Plaid Link interface is deployed.

        MFA Requirement: 100% of active user accounts must have an MFA factor enabled to access application features or initiate financial data synchronization.
    

1. Scope of Implementation

In accordance with security best practices for financial data integrators, WTD has implemented MFA at the application layer. No user—including family members and administrators—can access the dashboard or trigger a Plaid Link session without successful second-factor verification.

2. Supported MFA Factors

WTD supports and enforces the following secondary authentication factors for all consumers:

Time-based One-Time Passwords (TOTP): Users must provide a 6-digit code generated by a registered authenticator application.
FIDO2 / WebAuthn: Physical hardware tokens (e.g., Yubikeys) are supported and encouraged for primary family accounts.

3. Plaid Link Security Workflow

The Plaid Link module is gated behind the primary authenticated session. The workflow is as follows:

User provides primary credentials (Username/Password).
MFA Challenge: Application requests TOTP or Hardware Key verification.
Upon successful MFA, the user session is established.
Only then is the Plaid Link integration accessible for account connection or data refresh.

4. Ongoing Enforcement

MFA is not optional for WTD users. Password-only authentication is disabled at the system level for all "Consumer-facing" interfaces to prevent unauthorized access to linked financial institutions.