Fintech is great—end users love and expect it. But it has blown the doors of opportunity open for cyber criminals. Just because someone knows a valid username and password doesn’t mean they are who they say they are. According to Verizon’s 2018 Data Breach Investigations Report, guessed or stolen credentials was the top tactic for data breaches.
To mitigate the threat of guessed or stolen credentials, Banno requires two-factor authentication (2FA) for two scenarios:
- It’s the end user’s first time interfacing with your app.
- A new device is being used to access bank accounts.
Setting up 2FA
To get started on the Banno platform, new users log in, and mobile users will choose a PIN for quick account access in the future. This login process establishes their first authentication factor: something they know (their credentials) or something they are (like a fingerprint).
Wondering how new users get their credentials?
- Create a new account using their personal identifiable information;
- Carry over their username and password associated with your current online banking solution;
- Receive a username and temporary password issued by you, the FI.
Then, they will designate their second authentication factor: something they have (like a phone).
There are plenty of ways an end user can prove who they are, and secure new methods are being developed all the time. To ensure there are as few barriers as possible to utilizing the security of 2FA, Banno maintains a growing list of 2FA authentication options. No matter what kind of person the end user is, we make sure they can enroll in 2FA.
Banno apps offer the following methods of 2FA authentication for end users.
Voice or text message
The end user provides a phone number to validate with, selecting to receive authentication codes via text message or automated phone call. When performing an action that requires 2FA authentication, the end user will receive a text message or phone call containing a code to enter into their Banno app.
Your institution can decide whether or not to validate the provided phone number against your core records. If this is enabled, the end user must enter a phone number you have on file for that user. Users without a correct phone number will not be able to successfully enroll.
Banno natively supports the Authy authenticator app. The end user provides an email address and phone number associated with account. When performing an action that requires 2FA authentication, the end user can copy their authentication code directly from the Authy app.
Your institution can decide whether or not to validate the provided phone number against your core records. If this is enabled, the end user must enter a phone number you have on file for that user. Users without a correct phone number will not be able to successfully enroll. After a user enrolls, they can change the phone number inside the Authy authenticator app to a different number.
Banno supports non-Authy authenticator apps for end users who cannot access Authy, or who simply prefer another authenticator app. The Banno app will provide a text code, as well as a QR code for desktop users, to enter into their chosen authenticator app. The end user can then use their chosen app according to its documentation.
If your institution has decided to validate 2fa phone numbers against core records, authenticator apps will bypass that restriction. Enabling authenticator apps is not recommended if core validation is also enabled.
The end user provides an email address to validate with. When performing an action that requires 2FA authentication, the end user will receive an email containing a code to enter into their Banno app. We do not recommend enabling 2FA by email for a variety of reasons (learn more). If you would like to enable email 2FA you will need to open a case with our support team and sign a waiver of liability.
Changing 2FA settings
- 2-step verification
If an end user wants to change their 2FA settings, the security menu allows users to edit their existing 2FA methods or add a new one. End users can also set a primary 2FA method that will be automatically highlighted whenever they receive a 2FA authentication prompt.
New device: Proving a user’s identity
Banno keeps tabs on the devices and browsers that are logging into user accounts by using device IDs1 and browser fingerprinting2. Whenever a user attempts to login on a device that the API doesn’t recognize, they will be asked to prove their identity using 2FA. It’s just another security measure taken to protect the user in the even that their credentials are compromised.
- Can an end user’s 2FA phone number be provided upon request?
- For the user’s security, an end user’s phone number is hashed across all platforms and cannot be provided.
Device ID: A unique ID is issued to a device with every installation of Banno Mobile. That ID is presented with every login as a way for the system to associate the device with an authenticated user. ↩︎
Browser fingerprinting: A method used to collect information about a user, like their operating system, language, and various other active settings. ↩︎