Security Policies



MineralTree enforces strong password policies for all users.

Out-of-Band authentication is available to MineralTree users both during login and during payment release. To mitigate the risk of fraud, it is highly encouraged that companies utilize one or both of these features. Security settings are managed at the role level.

Password Policies

MineralTree passwords must meet the following criteria:

  • At least 8 characters
  • At least one lowercase letter
  • At least one uppercase letter
  • At least one number
  • At least one special character (~!@#$%^’&()_+|-=\’{}[]:”;<>?/)
  • No more than 2 repeating characters

Passwords expire every 90 days and cannot be reused for at least 180 days.

Password Resets

When users request a new password using the Forgot your password link, they are required to provide a valid email address and a phone number associated with the user record. To complete the request, users must complete two-factor authentication. A temporary password is then sent to the user’s email address.

User accounts are automatically locked after 10 unsuccessful login attempts. Users must contact account administrators or Customer Support to unlock their accounts and request a new password.

Out-of-Band Authentication

Delivery Mechanism

Two delivery methods of out-of-band authentication are supported:

  • SMS message
  • Voice calls

Service Provider

MineralTree has integrated with two service providers to provide out-of-band authentication. Twilio is the primary service provider, and Plivo is used as a backup provider.




Out-of-band settings for a company are managed in BankOps on the Security tab of the Company Details dialog. Companies elect to enable out-of-band authentication either at login or during payment release. Additionally, out-of-band authentication is required when users reset their passwords, and any time users with the Administrator role access the Customer Administrator Application.

Two Factor Authentication

The Two Factor Authentication section on the Security Tab determines whether out-of-band codes will be sent during user login. This setting is managed at the role level. For example, in Figure 1, users with the Approver role will be prompted to provide a security code during login, while users with the Accounting Manager role will not.

Figure 1

When enabled, before users are able to access the application, users are prompted to enter a security code after providing a username and password.

Figure 2

Two Factor Payment Verification

The Two Factor Payment Verification section of the Security Tab determines whether out-of-band codes are sent to users at the time of payment release.

Figure 3

When enabled, users are prompted to enter a security code after approving payments. This setting is managed at the role level. Payments are only submitted for processing once this code has been provided.

Figure 4

Delivery Preferences

Users can elect to receive out-of-band security codes either via SMS message or voice call. This setting is managed in BankOps on the User Details dialog.

One primary phone number must be provided for each MineralTree user. Up to two additional phone numbers can be defined, and the two factor delivery preference of either SMS or voice can be defined for each number.

Figure 5

When out-of-band authentication is triggered, the primary phone number is used. Users have the ability to select an alternate number for delivery from the list of enrolled numbers.

Figure 6


Figure 7

0 out of 0 found this helpful



Please sign in to leave a comment.