← Authentication & security

2FA customer communication

Utilizing 2FA for Banno

It is important your team is aware 2FA will be your biggest call driver at go live. Users who utilize modern apps are typically familiar with 2FA, but less experienced users may struggle. To assist users as best as possible, we suggest your customer/member care team be fully trained on Banno 2FA, utilize it themselves, and have the following information on this page.

When setting up 2FA, ensure your users choose a number that is accessible when signing in for the first time. We recommend using a mobile device, but there’s also the option of selecting a landline and receiving a call. If the user sets up a new phone number or enters the incorrect number, admins can reset 2FA for users within the permissions section of the Banno portal.

User doesn’t receive a code

If a care team receives a report of the user not receiving a code, it could be one of the following:

  • The main issue we see is the user requests receiving a code via SMS, but enters a landline number. If they report not receiving the code via SMS, and you’ve verified they’re not entering a landline number, instruct them to try another way and receive it via phone call.
  • If the user tries both methods to receive the code, reset and have them verify they entered the correct phone number.
  • If the phone number and method is correct, validate the user isn’t using a phone operating on a prepaid plan. Oftentimes, the money runs out and they no longer receive SMS until adding to the account balance.
  • The user reaches their max attempts. See the FAQ for more detail.
  • If all of the above is validated, the issue’s likely with the carrier.

User views invalid code

There are many reasons why users might see invalid codes (or token errors). Below is a list common causes:

  • The most obvious reasons are typos (when retyping token codes) and expired tokens.
  • The device’s time isn’t synchronized with the server’s time. This occurs when users travel. For example, users need to ensure the device’s time is correct to fix the issue.
  • The account was reset.
  • For the Authy App: If a user resets the account within Authy, all Authy tokens produce invalid otps and the user needs to reinstall the Authy app to fix the issue.
  • Users removed their device. If a user removes a device, all Authy powered tokens from the removed device generate invalid otps. To fix this, the user reinstalls the Authy app.

These reasons might not be the source affecting your reported users, but it’s a helpful reference.

In general, if the issue occurs inconsistently, we determine it’s a user error. However, if you see certain users experiencing the issue more often, please direct them to Authy and include their phone numbers, emails and/or Authy ID. Authy happily investigates issues further.

FAQ

Do we accept other country codes besides the U.S.?
Yes, we do, although core doesn’t support International numbers. Therefore, 2FA validation against core shouldn’t be enabled for institutions who have a lot of international users. The user should validate with a U.S. number and then use the Authy app to change to an international one.
After a user receives an Authy code, how long is the code valid?
2FA tokens are generally valid for three to six minutes working around issues of time synchronization and drift. Tokens obtained using the app have a longer validity window for this reason, while SMS and voice requests are valid for exactly three minutes.
The user stops receiving SMS text after downloading Authy. How do they “disable” it so they receive texts?
If a user ever installed the Authy app and registered it with the same phone number as they enrolled in 2FA at Banno, no SMS sends unless the user selects “Try Another Way” and selects the SMS option. If the user wants to permanently stop using the Authy app and receive SMS codes again, the user completes this form and uninstalls Authy. They may also need their 2FA enrollment with Banno reset for them to register again.
What happens if the user uninstalls Authy?
Nothing will happen. Authy remembers phone numbers, although the user may need their 2FA enrollment with Banno reset so they can register again.
Can the user receive the code via email?
No, they can’t receive the code via email. According to NIST guidelines, which the FFIEC references regarding cybersecurity, email shouldn’t be used for out of band authentication.
What’s considered a high-risk action?
High-risk actions include the following:
  • Adding a bill payee
  • Adding an external transfer account
  • Changing the password
For high risk actions, why is a password required instead of receiving a 2FA code?
2FA is only used to log into the app. Re-entering the password provides an additional security mechanism. It helps ensure the authorized user utilizes the app and prevents an unauthorized user from hijacking an account.

Once logged into the app, using password entry prevents (for example) another individual who steals the user’s phone and attempts to create a payee. If they receive a 2FA code, the code comes to the very phone the unauthorized user’s on, and they create a new payee.

How can an institution investigate fraudulent activity with 2FA in play?
Examine the activity events in Banno People and find events initiating fraud—there’s quite a bit of data to review. Looking at the IP addresses and device information, compile information on the fraudulent user.

In most cases, the issue is one of the two following causes:

  • The authorized user gives away their 2FA code to someone else.
  • An unauthorized user gains direct access to the phone or device which generates the 2FA code and obtains it inappropriately.

We recommend the FI find the exact activity events initiating the fraud and discuss with the user, ensuring that neither of the above cases is true. If neither of the two causes occurred, we can help look into it further if needed. We’ve experienced occasions when users told us they didn’t give away the code, but we later learned they did. However, it’s almost always one of the two causes above.

There are also fraud reporting features in Banno Reports:

  • Fraud report - potentially compromised users
    • This report will indicate a user where a credential stuffing attacker may have correctly guessed the user’s password. 2FA is still in effect, but the account may warrant specific attention.
  • Fraud report - new users with unverified 2FA enrollment
    • These are users who enrolled in 2FA and the phone number they used is not on their core record. This report allows an FI to keep core validation turned off, but still manage the risk by reviewing these users manually.
What if the user has too many invalid attempts?
  • If the user verifies five wrong tokens in a minute, an error with the message “User has been suspended” returns. The user can retry after five minutes.
  • If the user verifies 20 wrong tokens in a day, an error with the message “User has been suspended” returns. The user can retry after 24 hours.
  • After a suspended user reaches their retry time limit (five minutes or 24 hours), successfully verifying a token removes the suspension.
  • Removing a user from the application and adding them again doesn’t remove the suspension.
A user enters their landline as their phone number. When prompted, will the Banno 2FA system know it’s a landline and automatically use the automated voice call to send the verification code? OR will the Banno 2FA system try texting the landline, resulting in a failed process?
If the user enters a landline phone number, but opts to receive a SMS code, they won’t receive the code. The system cannot recognize whether the number is a landline or not.
With core validation enabled on 2FA, which phone number do we validate against for CM users?
This validates against the NTID CIF for the business. We generally don’t recommend this as it means all codes send to that one person, which is unmanageable. Upcoming Banno Business functionality will open up more options for core validation.

Additionally, we don’t recommend core validation specific for CM user validation or retail. We’ve seen more issues around this than the help/additional risk this protects. Many institutions see an influx around the core data not being current or correct, so they opt to disable.

A bank says there’s a long delay in getting the code via the automated voice call. Users think they didn’t receive it, but they didn’t wait long enough. Is that an issue you’re aware of?
When we experience this, it’s almost always a carrier issue and unfortunately outside our control.
A user logged in on their phone for the first time and successfully completed the 2FA process. They go home and log in on their laptop/desktop computer. Because they’re logging on a different device, will they go through the 2FA process again? OR will they log in using the new four digit PIN they already established on their phone?
The first time a user logins on each device, they’re prompted for 2FA. A user will be unable to enter their four digit pin into online banking and must use their username and password +2FA. A remember feature prevents the 2FA code from being required on each online login from the same device.
A user already logged in and completed the 2FA process on their phone and laptop. Using their login credentials, the user then logs in from their partner’s phone. Because it’s a new device, will the user go through 2FA again? Will it remember the three devices, so the user won’t run into that again as long as they log in from one of those devices?
The first time a user logins on each device, they’re prompted for 2FA. A remember feature prevents the 2FA code from being required on each online login from the same device.
A user uses their fingerprint or facial recognition to log in, and they forget their ID and password. When they first used the app, did they have to first complete the 2FA process in order to use biometrics? If so, where does Support reset and/or unlock the user’s Netteller ID?
Before they set up biometrics, they authenticate for the first time with their credentials. You will reset/unlock users the same as you do today with NT, because we’re using NT under the hood (NT BackOffice).
If a locked account doesn’t exist in Banno People, where is the account unlocked?
The account should be reset/unlocked via NetTeller BackOffice.