Staff Report #2
March 17, 2026
To All Members of the Accessible Public Transit Service Advisory Committee
Re: Customer Portal Access Controls
Recommendation
That the report be RECEIVED for information
Background
In September 2025, the Commission received a delegation from one customer of the specialized service which included a specific request for enhanced security for the login process for the customer portal. The Commission directed Administration to assess the requirements for enhanced security and identify any issues that may be associated with implementation of same.
At the November 2025 APTSAC meeting, the Committee received a report relating to the access controls for the customer portal; a feature of the new scheduling software. At the meeting, the Committee asked that a report come back with additional information. The following provides a recap of the initial report with additional information added where applicable.
In an effort to gain greater insight into customer’s level of satisfaction with the new software, and more specifically the customer portal, several questions were included on the 2025 Voice of the Customer survey relating to this topic. The following provides an overview of the survey results relating to the customer portal.
Voice of the Customer Satisfaction Levels
| 2023 | 2024 | 2025 | |
| Ease of Booking | 57% | 66% | 88% |
| Booking Agent Helpfulness | 91% | 93% | 97% |
- 92% of respondents who indicated they were utilizing the customer portal indicated they were satisfied with their experience;
- The features of the customer portal that were identified as the most liked were:
- 74% – the ability to make booking requests online
- 53% – the ability to manage trips without calling a booking agent
- 29% – the trip notification feature
- When asked if there were additional features that could be considered in the future, respondents indicated real time tracking of vehicles and booking confirmations (noting that booking confirmations are now provided as part of the trip notification process).
In summary, customer feedback with respect to the new system, including the customer portal has been positive, and where issues have arisen, Administration has worked with the vendor to address same. It should be noted that the software agreement with the vendor requires that issues brought to the attention of the vendor be reviewed and responses be provided as to how and when the issue will be addressed. Depending on the nature of the issue, it may be addressed in the short term, or it may require a change to the underlying software, which will not be provided until such time as the vendor includes it in the next update. Issues that arise that impact the functionality of the system as it is intended to operate are considered priority, where issues that are the result of a request for a new feature or amended process are considered a lower priority and would potentially be included in a future software update noting inclusion of new functionality would be at the discretion of the vendor (e.g. real time vehicle tracking).
The information included in the customer portal database includes the customer name, home address, and phone number as well as trip history and future trips (up to two weeks if a customer has subscription trips and three days for customers with no subscription trips). While customers may not want this information shared publicly, this information is not considered confidential noting there is no personally identifiable information (e.g. social insurance number, banking information, medical information) included in the customer portal. The portal does allow a customer to enter their date of birth when they set up their profile, however this field is not mandatory and is not utilized for the booking process.
When customers first sign up for the portal, they are provided with a four-digit password to be used for their initial access. Customers can change their password as frequently as they wish, noting the password can be up to 20 characters in length, and can include both upper and lowercase letters, numbers and symbols (the minimum length of password is four characters). While the information stored in the customer portal database is not considered confidential, customers that are concerned about access have the ability to change their password as frequently as they wish.
The current software in use includes an additional level of security for access to the customer portal, which requires multi-factor authentication (MFA). This essentially adds one more step to the login process each time a customer logs into the portal. Multi-factor authentication is often utilized on accounts that include personal information that could potentially be the target of hackers (sites which include banking information, or other personal identification information). Administration has confirmed that should this additional security measure be activated it will be in place for all users (there is no way to have this feature activated for select users).
Should this be enabled, each customer would have to ensure that their profile is updated to include a method for the system to enact this additional step (email or SMS). Once this step is complete, when a customer enters their unique user id and password, they will receive a second authorization code (via the method they have chosen), which will also have to be entered to access the portal.
Given concerns relating to the additional steps associated with implementing multi-factor authentication resulting in accessibility issues for some customers, Administration reached out to specialized service providers across the country, and responses indicated that the overwhelming majority of service provides have not introduced MFA, with most citing the concern that it would introduce an unnecessary barrier to the users of the system coupled with the fact that the data is not considered confidential.
Administration is seeking feedback from members of APTSAC who are currently utilizing the customer portal with respect to any potential issues and implications associated with implementing MFA. Feedback from the Committee will be included in the report back to the Commission.
Recommended by:
Brandon Goldstone, Manager of Service Integration
Shawn Wilson, Director of Operations
Concurred in by:
Kelly S. Paleczny, General Manager