A user can do a lot with Banno Apps and Banno Enterprise, but not all actions are created equal. Some actions are more risky than others, such as transfers to an external institution. For instances that could compromise the security of your users’ accounts, Banno apps require an extra level of authentication. We call these actions “high-risk actions.” Want to know what actions are included and how it works? Read on.
When Banno Apps and Enterprise detect a high-risk action, the user is prompted to re-enter their password. The user must enter a correct password before continuing the high-risk action. After a high-risk action is completed, an an email is sent to the email address on file for the account.
Index of high risk actions
Banno apps maintain a balance to ensure high-risk actions include significant actions, but aren’t so prevalent that they frustrate the end user. It can be hard to keep track of which actions are high-risk, so we’ve compiled a list below.
- Changing password
- Changing username
Banno Mobile/Online only
- Edit username
- Edit user address
- Edit user email
- Edit user phone number
- Reset 2FA
- Adding an external or aggregated account
- Adding or updating a bill payee
- Adding an external transfer account
- External transfer over a given amount, if configured
- Enroll in Symantec
- Initiate wires and batches
- Payments to a first time contact
- Accepting a request for payment
- Creating a contact
- Adding a recipient
- Changing 2FA settings, including reset for a user
- Managing security settings
- Initiating an ACH batch
- Initiating a wire
- Why is a password required instead of receiving a 2FA code?
- 2FA is only used to log into the app. Re-entering the password provides an additional security mechanism. It helps ensure the authorized user utilizes the app and prevents an unauthorized user from hijacking an account.
Once logged into the app, using password entry prevents (for example) another individual who steals the user’s phone and attempts to create a payee. If they receive a 2FA code, the code comes to the very phone the unauthorized user’s on, and they create a new payee.
- How long are users considered high-risk authenticated?
- Once a user completes a high-risk authentication, including during login, they will not have to re-authenticate for high-risk actions for the next 10 minutes.