← Authentication & security
View our How-to guide

Two-factor authentication

Fintech is great—end users love and expect it. But it has blown the doors of opportunity open for cyber criminals. Just because someone knows a valid username and password doesn’t mean they are who they say they are. According to Verizon’s 2018 Data Breach Investigations Report, guessed or stolen credentials was the top tactic for data breaches.

To mitigate the threat of guessed or stolen credentials, Banno requires two-factor authentication (2FA) for two scenarios:

  1. It’s the end user’s first time interfacing with your app.
  2. A new device is being used to access bank accounts.

Setting up 2FA

To get started on the Banno platform, new users log in, and mobile users will choose a PIN for quick account access in the future. This login process establishes their first authentication factor: something they know (their credentials) or something they are (like a fingerprint).

Wondering how new users get their credentials?

  1. Create a new account using their personal identifiable information;
  2. Carry over their username and password associated with your current online banking solution;
  3. Receive a username and temporary password issued by you, the FI.

Then, they will designate their second authentication factor: something they have (like a phone).

First time setup for end users without 2FA

When an end user attempts to use the app without 2FA configured while your institution has 2FA enabled, an additional layer of security is required before choosing and configuring a 2FA method.

After entering their username and password, the end user is sent an email containing a verification that must be entered into the app before they can continue with 2FA configuration. After the verification code is confirmed, the end user can continue to the 2FA method configuration outlined below. They are then required to verify their configured 2FA method before accessing their account.

2FA methods

There are plenty of ways an end user can prove who they are, and secure new methods are being developed all the time. To ensure there are as few barriers as possible to utilizing the security of 2FA, Banno maintains a growing list of 2FA authentication options. No matter what kind of person the end user is, we make sure they can enroll in 2FA.

Banno apps offer the following methods of 2FA authentication for end users.

Voice or text message

The end user provides a phone number to validate with, selecting to receive authentication codes via text message or automated phone call. When performing an action that requires 2FA authentication, the end user receives a text message or phone call containing a code to enter into their Banno app.

Your institution can decide whether or not to validate the provided phone number against your core records. If this is enabled, the end user must enter a phone number you have on file for that user. End users without a correct phone number will be unable to successfully enroll.


Banno natively supports the Authy authenticator app. The end user provides an email address and phone number associated with account. When performing an action that requires 2FA authentication, the end user can copy their authentication code directly from the Authy app.

Your institution can decide whether or not to validate the provided phone number against your core records. If this is enabled, the end user must enter a phone number you have on file for that user. Users without a correct phone number will not be able to successfully enroll. After a user enrolls, they can change the phone number inside the Authy authenticator app to a different number.

Authenticator app

Banno supports non-Authy authenticator apps for end users who cannot access Authy, or who simply prefer another authenticator app. The Banno app provides a text code, as well as a QR code for desktop users, to enter into their chosen authenticator app. The end user can then use their chosen app according to its documentation.

If your institution decides to validate 2fa phone numbers against core records, authenticator apps will bypass that restriction. Enabling authenticator apps is not recommended if core validation is also enabled.


The end user provides an email address to validate with. When performing an action that requires 2FA authentication, the end user will receive an email containing a code to enter into their Banno app. We do not recommend enabling 2FA by email for a variety of reasons (learn more). If you would like to enable email 2FA you will need to open a case with our support team and sign a waiver of liability.

Symantec VIP tokens

Banno supports Symantec VIP tokens as either a hard or soft token. The end user provides their credential ID and then validates the 2FA code based on that credential when enrolling. When logging in, the end user provides the code as requested to access Banno.

Changing 2FA settings

  • Settings
  • Security
  • 2-step verification

If an end user wants to change their 2FA settings, the security menu allows users to edit their existing 2FA methods or add a new one. End users can also set a primary 2FA method that will be automatically highlighted whenever they receive a 2FA authentication prompt.

New device: Proving a user’s identity

Banno keeps tabs on the devices and browsers that are logging into user accounts by using device IDs1 and browser fingerprinting2. Whenever an end user attempts to login on a device that the API doesn’t recognize, they will be asked to prove their identity using 2FA. It’s just another security measure taken to protect the end user in the even that their credentials are compromised.


Can an end user’s 2FA phone number be provided upon request?
For the user’s security, an end user’s phone number is hashed across all platforms and cannot be provided.
Can we override the institution’s 2FA setting for specific end users?
Yes! To change settings for a specific end user, navigate to the Security page for that end user.
On some SMS 2FA codes, what’s the email address (ex. @online.tx.org) that displays?
Actually, this isn’t an email address but an an App hash. While the majority of devices don’t use an App hash, certain ones use it as part of 2FA and generating one-time codes sent by SMS. This allows us to support a higher number of different devices used by end users. You can checkout WebOTP API for more information on generating a one-time password (OTP).

  1. Device ID: A unique ID is issued to a device with every installation of Banno Mobile. That ID is presented with every login as a way for the system to associate the device with an authenticated user. ↩︎

  2. Browser fingerprinting: A method used to collect information about a user, like their operating system, language, and various other active settings. ↩︎