Staff Report #4
November 11, 2025
To All Members of the Accessible Public Transit Service Advisory Committee
Re: Customer Portal Access Controls
Recommendation
That the report be RECEIVED for information
Background
During and subsequent to the implementation of the new scheduling software for the specialized service, administration received feedback from customers with respect to issues they encountered while using the software, as well as recommendations for improvement. The vendor has worked with administration to respond to issues, and implement fixes where possible, and this will continue to be the case going forward.
In September, the Commission received a delegation from a customer of the specialized service which included a specific request for enhanced security for the login process for the customer portal. The Commission directed administration to assess the requirements for enhanced security and identify any issues that may be associated with implementation of same.
The system is currently configured to allow customers to change their password for access to the customer portal as frequently as they wish, noting the password can be up to 20 characters and can include both upper and lowercase letters, numbers and symbols (the minimum length of password is four characters). Customers now access the portal by entering their unique user id and their password.
The next level of enhancement that can be implemented is a multi-factor authentication, which essentially adds one more step to the login process each time a customer logs into the portal. Multi-factor authentication is often utilized on accounts that include personal information that could potentially be the target of hackers (sites which include banking information, or other personal identification information). Should this be enabled, each customer would have to ensure that their profile is updated to include a method for the system to enact this additional step (email or SMS). Once this step is complete, when a customer enters their unique user id and password, they will receive a second authorization code (via the method they have chosen), which will also have to be entered to access the portal. Administration has confirmed that should this additional security measure be activated it will be in place for all users (there is no way to have this feature activated for select users).
Administration is seeking feedback from members of APTSAC who are currently utilizing the customer portal with respect to whether they believe the current security measures in place are adequate as well as any potential issues and implications associated with implementing this feature. Feedback from the Committee will be included in the report back to the Commission.
Recommended by:
Brandon Goldstone, Manager of Service
Shawn Wilson, Integration Director of Operations
Concurred in by:
Kelly S. Paleczny, General Manager