Two-Factor Authentication

Introduction

• Authentication system ‘CQG OTP’ is available to FCM partners for use with Traders and CAST Users

• Soft token OTP-based 2-factor authentication

• Works with any authenticator app that implements standard TOTP, e.g., Google Authenticator, Microsoft Authenticator, FreeOTP

• User self-registers their authenticator app via ‘My CQG’ portal

• End-to-end encryption

• Encrypts passwords at client

• Private keys stored in HSM at server side

• Works within existing authentication system framework

• FCMs select authentication system on per-Trader and per-CAST User basis

New Trader Workflow

New Trader Workflow via CAST

The FCM creates a new trader (via CAST) and selects CQG OTP for Trader Authentication.

Then, set the initial password.

•      System-generated email directly to the client requires a valid email address in CAST.

•      FCMs may continue to use their existing manual process for providing username and initial password to the client.

•      Inform the client about 2FA and one-time registration of authenticator app.

New Trader Workflow Via Client

Clients who attempt to log in without registering of authenticator app will be prompted:

Trading Login Workflow (Client)

•      All CQG client applications support OTP and will prompt as necessary at login.

•      CQG APIs (FIX Connect and WebAPI) also support OTP. Developers supply OTP with login request.

Trader Admin via CAST

Traders using CQG OTP authentication have additional info visible in the Trader Info Page near existing password-related fields.

Traders without an authenticator app registered are flagged:

Successful registration is reported via CAST Event Notifications.

Traders with an authenticator app registered cannot repeat the My CQG workflow to register a different authenticator app until the FCM performs one of these admin steps:

CAST User Setup

New CAST User Workflow

New CAST User Workflow (Newly Created User)

User logs on to CAST and is prompted for One-time password.

CAST User Admin (FCM using CAST)

CAST Users using CQG OTP authentication have additional info visible in the CAST

User Info page, near existing password-related fields.

CAST Users without an authenticator app registered are flagged:

Successful registration is reported via CAST Event Notifications.

CAST User with an authenticator app registered cannot repeat the My CQG workflow to register a different authenticator app until FCM performs one of these admin steps:

FCM Desk will enable ‘Show setup link’ button for FCMs that want to copy/paste a

setup link from CAST rather than use system-generated emails.

The validity period of setup links, whether obtained via copy/paste or systemgenerated emails, is configurable by FCM Desk.

These parameters are applicable to both Traders and CAST Users.