← Authentication & security
View our How-to guide

Two-factor authentication

Fintech is great—end users love and expect it. But it has blown the doors of opportunity open for cyber criminals. Just because someone knows a valid username and password doesn’t mean they are who they say they are. According to Verizon’s 2018 Data Breach Investigations Report, guessed or stolen credentials was the top tactic for data breaches.

To mitigate the threat of guessed or stolen credentials, Banno requires two-factor authentication (2FA) for two scenarios:

  1. It’s the end user’s first time interfacing with your app.
  2. A new device is being used to access bank accounts.

Setting up 2FA

To get started on the Banno platform, new users log in, and mobile users will choose a PIN for quick account access in the future. This login process establishes their first authentication factor: something they know (their credentials) or something they are (like a fingerprint).

Wonder how new users get their credentials?

  1. Create a new account using their personal identifiable information;
  2. Carry over their username and password associated with your current online banking solution;
  3. Receive a username and temporary password issued by you, the FI.

Then, they will designate their second authentication factor: something they have (like a phone).

First time setup for end users without 2FA

When an end user attempts to use the app without 2FA configured while your institution has 2FA enabled, an additional layer of security is required before choosing and configuring a 2FA method.

After entering their username and password, the end user is sent an email containing a verification that must be entered into the app before they can continue with 2FA configuration. After the verification code is confirmed, the end user can continue to the 2FA method configuration outlined below. They are then required to verify their configured 2FA method before accessing their account.

2FA verification methods

There are plenty of ways an end user can prove who they are, and secure new methods are being developed all the time. To ensure there are as few barriers as possible to utilizing the security of 2FA, Banno maintains a growing list of 2FA authentication options for end users to choose from and for you to control. No matter what kind of person the end user is, we make sure they can enroll in 2FA.

Banno apps offer the following methods of 2FA authentication for end users and can be managed by your institution in Banno People.

Authy

Banno natively supports the Authy authenticator app. The end user provides an email address and phone number associated with account. When performing an action that requires 2FA authentication, the end user can copy their authentication code directly from the Authy app.

Your institution can decide whether or not to validate the provided phone number against your core records. If this is enabled, the end user must enter a phone number you have on file for that user. Users without a correct phone number will not be able to successfully enroll. After a user enrolls, they can change the phone number inside the Authy authenticator app to a different number.

Authy supports end users enrolling a single time. All other methods support enrolling multiple items (e.g. an end user can enroll more than one phone number in SMS/Phone call).

Phone or text message

The end user provides a phone number to validate with, selecting to receive authentication codes via text message or automated phone call. When performing an action that requires 2FA authentication, the end user receives a text message or phone call containing a code to enter into their Banno app.

Your institution can decide whether or not to validate the provided phone number against your core records. If this is enabled, the end user must enter a phone number you have on file for that user. End users without a correct phone number will be unable to successfully enroll.

Authenticator app

Banno supports non-Authy authenticator apps for end users who cannot access Authy, or who simply prefer another authenticator app. The Banno app provides a text code, as well as a QR code for desktop users, to enter into their chosen authenticator app. The end user can then use their chosen app according to its documentation.

If your institution decides to validate 2fa phone numbers against core records, authenticator apps will bypass that restriction. Enabling authenticator apps is not recommended if core validation is also enabled.

Symantec hardware/software tokens

Banno supports Symantec VIP tokens as either a hard or soft token. The end user provides their credential ID and then validates the 2FA code based on that credential when enrolling. When logging in, the end user provides the code as requested to access Banno.

Change Banno Apps settings

  • Settings
  • Security
  • 2-step verification

If an end user wants to change their 2FA settings in Banno Apps, the security menu allows users to edit their existing 2FA methods or add a new one. End users can also set a primary 2FA method that will be automatically highlighted whenever they receive a 2FA authentication prompt.

Change Enterprise settings

Within Banno Enterprise, you can control your institution’s 2FA verification methods in Banno People. You can also change 2FA settings on behalf of individual end users in their Security settings.

Because we consider changing 2FA options a high-risk change, an enterprise user will need to be in a group with 2FA enabled.

New device: Prove a user’s identity

Banno keeps tabs on the devices and browsers that are logging into user accounts by using device IDs1 and browser fingerprinting2. Whenever an end user attempts to login on a device that the API doesn’t recognize, they will be asked to prove their identity using 2FA. It’s just another security measure taken to protect the end user in the even that their credentials are compromised.

Banno Enterprise

Within Banno Enterprise, you can control your institution’s and end users’ 2FA settings. Because we consider changing 2FA options a high-risk change, an enterprise user will need to be in a group with 2FA enabled.

FAQ


Can an end user’s 2FA phone number be provided upon request?
For the user’s security, an end user’s phone number is hashed across all platforms and cannot be provided.
Can we override the institution’s 2FA setting for specific end users?
Yes! To change settings for a specific end user, navigate to the Security page for that end user.
On some SMS 2FA codes, what’s the email address (ex. @online.tx.org) that displays?
Actually, this isn’t an email address but an an App hash. While the majority of devices don’t use an App hash, certain ones use it as part of 2FA and generating one-time codes sent by SMS. This allows us to support a higher number of different devices used by end users. You can checkout WebOTP API for more information on generating a one-time password (OTP).
How can we support an end user who is unable to use a phone for verification?
End users that for any reason are unable to use a phone for two factor authentication may use the Authy app to authenticate. Setup requires use of a phone, so assisting with initial setup should be supported at your institution’s local branches in case an end user is unable to gain assistance from a friend or family member. After initial setup, Authy allows authentication without use of a phone.

  1. Device ID: A unique ID is issued to a device with every installation of Banno Mobile. That ID is presented with every login as a way for the system to associate the device with an authenticated user. ↩︎

  2. Browser fingerprinting: A method used to collect information about a user, like their operating system, language, and various other active settings. ↩︎