Support Sign in

Two-factor authentication

Fintech is great—end users love and expect it. But it has blown the doors of opportunity open for cyber criminals. Just because someone knows a valid username and password doesn’t mean they are who they say they are. According to Verizon’s 2018 Data Breach Investigations Report, guessed or stolen credentials was the top tactic for data breaches.

To mitigate the threat of guessed or stolen credentials, Banno requires two-factor authentication (2FA) for three scenarios:

  1. It’s the end user’s first time interfacing with your app.
  2. A new device is being used to access bank accounts.
  3. The end user recovering their account.

Setting up 2FA

To get started on the Banno platform, new users log in, and mobile users will choose a PIN for quick account access in the future. This login process establishes their first authentication factor: something they know (their credentials) or something they are (like a fingerprint).

Wonder how new users get their credentials?

  1. Create a new account using their personal identifiable information;
  2. Carry over their username and password associated with your current online banking solution;
  3. Receive a username and temporary password issued by you, the FI.

Then, they will designate their second authentication factor: something they have (like a phone).

First time setup for end users without 2FA

When an end user attempts to use the app without 2FA configured while your institution has 2FA enabled, an additional layer of security is required before choosing and configuring a 2FA method.

After entering their username and password, the end user is sent an email containing a verification that must be entered into the app before they can continue with 2FA configuration. After the verification code is confirmed, the end user can continue to the 2FA method configuration outlined below. They are then required to verify their configured 2FA method before accessing their account.

2FA support for international end users

End users can receive 2FA sign-in codes via international phone numbers; however, they cannot use an international number for the initial 2FA enrollment validation. Therefore, before we can enable 2FA support for international numbers, you’ll need to work with your Banno implementation coordinator or support rep to establish 2FA enrollment validation via email rather than via core validation. This change—which only affects the one-time validation step users complete during 2FA enrollment—is required due to known limitations that prevent Banno from validating international phone numbers against the core.

To support 2FA via international phone numbers, ask your implementation coordinator (or Banno Support) to get the ball rolling. Once we’ve completed the changes, any end user who enrolls in 2FA will be prompted to validate their enrollment via email. This applies to end users with US-based phone numbers as well. If you later decide that email validation isn’t right for your institution, an authorized employee can always revert the changes in People (though, we highly recommend reaching out to Banno Support beforehand with any questions regarding the impact on end users).

2FA verification methods

There are plenty of ways an end user can prove who they are, and secure new methods are being developed all the time. To ensure there are as few barriers as possible to utilizing the security of 2FA, Banno maintains a growing list of 2FA authentication options for end users to choose from and for you to control. No matter what kind of person the end user is, we make sure they can enroll in 2FA.

Banno apps offer the following methods of 2FA authentication for end users and can be managed by your institution in Banno People.

If an end user is unable to receive a 2FA code, commonly they’ll receive the error warning Your 2FA code failed to deliver to your default method. Please try another way. and be prompted to verify the code delivery again. In the Verification code delivery window, they can choose from other delivery methods set within their account.

Authy

Banno natively supports the Authy authenticator app. The end user provides an email address and phone number associated with account. When performing an action that requires 2FA authentication, the end user can copy their authentication code directly from the Authy app.

Your institution can decide whether or not to validate the provided phone number against your core records. If this is enabled, the end user must enter a phone number you have on file for that user. Users without a correct phone number will not be able to successfully enroll. After a user enrolls, they can change the phone number inside the Authy authenticator app to a different number.

Authy supports end users enrolling a single time. All other methods support enrolling multiple items (e.g. an end user can enroll more than one phone number in SMS/Phone call).

Phone or text message

The end user provides a phone number to validate with, selecting to receive authentication codes via text message or automated phone call. When performing an action that requires 2FA authentication, the end user receives a text message or phone call containing a code to enter into their Banno app.

Your institution can decide whether or not to validate the provided phone number against your core records. If this is enabled, the end user must enter a phone number you have on file for that user. End users without a correct phone number will be unable to successfully enroll.

Authenticator app

Banno supports non-Authy authenticator apps for end users who cannot access Authy, or who simply prefer another authenticator app. The Banno app provides a text code, as well as a QR code for desktop users, to enter into their chosen authenticator app. The end user can then use their chosen app according to its documentation.

Not recommended with core validation If your institution decides to validate 2FA phone numbers against core records, authenticator apps will bypass that restriction. Enabling authenticator apps is not recommended if core validation is also enabled.

FIDO security keys

The FIDO security key is a physical token that connects to the end user’s computer via USB, Bluetooth, or NFC. The authenticator code is automatically entered and never shared with anyone, including the end user utilizing the key.

More About Passkeys

Formerly known as our biometrics login feature, the passkey login feature Sign in with a passkey follows FIDO Authentication specifications. It aligns with changes in web browsers and enables the browser autocomplete feature to make signing in with passkeys even easier—especially on mobile browsers—for end users. With passkeys, end users can sign in to Banno Online quickly, easily and more securely by using their device’s biometric capability or PIN to authenticate themselves in a single step instead of entering a password and completing 2FA. Passkeys protect end users in a variety of ways, including these:

  • Unlike passwords, passkeys cannot be used on their own to authenticate (i.e. passkeys cannot be copied, pasted, stolen).
  • Passkeys use cryptography and tie the device, end user, and app or website together, so that attackers cannot steal credentials by using phony websites.
  • End users don’t have to remember, update, or manage passwords.

How does it work?

Alt text
•⎯⎯⎯⎯⎯⎯⎯⎯⎯➊
•⎯➋
Alt text
•⎯➌

  • Banno Online login screen
  • enter username (1)
  • Continue (2)
  • Sign in with a passkey (3)

After an end user registers their passkey, the end user clicks Sign in with a passkey. Depending on the end user’s platform, web browser, and device biometric setting (face ID, PIN, etc.), the passkey manager prompts the end user to authenticate using their device’s biometrics to log in. Desktop end users whose devices that may not have biometrics can also authenticate using their nearby mobile device to scan a QR code that displays on the desktop .

Once a passkey is registered with Banno Online, end users can log in from their other devices that are synced to their passkey manager. End users will also see autofill prompts to use passkeys found in their passkey manager. For example, passkeys created on iOS or in Safari on macOS are stored in iCloud Keychain. Passkeys created in Chrome on Android are stored in the Google Password Manager.

If an end user clicks Sign in with a passkey but they haven’t registered a passkey, they are unable to log in and will view the error message Passkey authentication failed. Try using your password instead. To sign in with a passkey, the end user needs to first register a passkey.

Autofill username

Alt text
•⎯⎯⎯⎯⎯⎯⎯⎯➊
•⎯⎯⎯⎯➋













Note: Autofill entries vary based on the information provided by the end user’s passkey manager.

End users who register a passkey will then have the option use autofill at the username field prompt on the login page (1). For autofill to function, the end user needs to be logged in to their passkey ecosystem (Google, Apple, etc.)—autofill functionality does not populate from the end user’s device or browser. This method streamlines the login experience by eliminating the need to enter a username, password, or complete 2FA.

Banno Online is designed to use the autofill functionality, but the passkey manager controls what displays in the autofill prompt.

Use a passkey on a different device

The Use a Passkey on a Different Device (2) entry that displays in the autofill prompt allows end users to authenticate log in from a mobile device when using a desktop. Both devices must have Bluetooth enabled, and the mobile device needs to be placed within Bluetooth range of the desktop. Using a passkey on a different device is managed by the passkey provider and not by the Banno Digital Platform. FIDO Alliance offers more information on the user experience.

Register passkey

    • End user profile menu
  • Settings
  • Security
  • Passkey sign in
  • Register this device

Before an end user can successfully sign in with a passkey, they need to log in to Banno Online and enable the Register this device toggle in their profile’s Settings. After they enable the toggle, the end user follows the passkey provider’s prompts to complete passkey setup. When the device is successfully registered and the passkey created, the confirmation toast Passkey registered displays in the app. Passkey prompts and messaging will vary depending on the end user’s operating system, passkey provider, device, and web browser, because passkey prompts are controlled by the passkey provider and not by the Banno Digital Platform.

Adding a passkey requires that the end user complete high-risk authentication. Once a passkey has been added to Banno Online, the passkey can also be used to complete high-risk authentication in the app.

If the end user doesn’t successfully set up a passkey, an Error registering passkey toast message displays in the app. The end user needs to log out of Banno Online, sign back in, and attempt registering a passkey again.

Unregister and remove passkey

If end users want to remove their passkey, they need to unregister the passkey from Banno Online. To remove the passkey entry from displaying in the the autofill prompt, it’s recommended end users also remove it from their passkey manager.

Banno Online

  • End user profile menu
  • Settings
  • Security
  • Passkey sign in
  • Register this device

To unregister a passkey, the end user disables the Register this device toggle in their profile’s Settings. After they disable the toggle, the end user follows the passkey manager’s prompts. When the passkey is successfully unregistered, the confirmation toast Passkey removed displays in the app. Passkey prompts and messaging will vary depending on the end user’s operating system, passkey provider, device, and web browser, because passkey prompts are controlled by the passkey provider and not by the Banno Digital Platform.

Unregistering a passkey requires the end user to complete high-risk authentication in the app.

When the end user unregisters their passkey in Banno Online, they cannot log in with Sign in with a passkey or have the option to complete high-risk authentication with a passkey. If the passkey isn’t also removed from the end user’s passkey manager, the option to sign in with a passkey still displays in the autofill prompt but the end user is unable to log in using that option.

Passkey manager

When an end user removes a passkey in Banno Online, we recommend they also remove it from their passkey manager. The Banno Digital Platform manages registering a passkey with Banno Online, but we do not have control of passkeys stored in an end user’s passkey manager. If the end user doesn’t remove the passkey from their passkey manager, the option to sign in with a passkey continues to autofill but it will not work—the end user is unable to sign in using the entry. To remove a passkey from the passkey manager, institutions and end users should refer to the documentation provided by the end user’s passkey manager.

Update username in passkey manager

If an end user updates their username in Banno Apps, they also need to update the username in their passkey manager so that the autofill prompt reflects the correct username. To update the username in a passkey manager, institutions and end users can refer to the the documentation provided by the end user’s passkey manager.

FAQ

Can passkeys be disabled?
No, passkeys are part of the Banno Online login experience and cannot be disabled.
An end user on a desktop wants to “Use a Passkey on a Different Device” to authenticate and has difficulty logging in to Banno Online.
Both devices must have Bluetooth enabled, and the different device needs to be placed within Bluetooth range of the desktop.
The end user has trouble registering their device and “Error registering passkey” toast message displays in the app.
The end user needs to log out of Banno Online, sign back in, and attempt registering a passkey again.
Can end users still log in using their password?
Yes, end users can still log in to Banno Online using their password and completing 2FA.
Does Banno store end user biometric information?
No, apps and websites—including the Banno Digital Platform—do not store the end user’s biometric information.
Where can institutions and end users get support for using passkeys?
Content provided by the FIDO Alliance and the FAQ in this Passkeys doc offer valuable information for learning about passkeys. Here are a few more resources:

Banno supports registering and unregistering a passkey on a device, and we enable autofill functionality for passkey managers. For all other passkey support, please refer to documentation provided by the end user’s passkey provider as support by Apple and Google are ongoing.

Symantec hardware/software tokens

Banno supports Symantec VIP tokens as either a hard or soft token. The end user provides their credential ID and then validates the 2FA code based on that credential when enrolling. When logging in, the end user provides the code as requested to access Banno.

Short codes

When it comes to end users receiving 2FA codes via voice or text message, short codes for 2FA provide an option not affected by carrier rate limits. This is great news for end users, as they promptly receive their 2FA codes and aren’t subject to stalled or undelivered codes! With short codes enabled, users receive their 2FA codes via Banno’s unique short code number—53286. All Banno institutions use the same short code number, and institution-specific short codes are not supported.

Short codes are used to deliver 2FA codes as SMS texts. Short codes cannot receive messages for any of the following:

  • 2FA codes delivered by phone call, although if it’s detected that a phone number doesn’t accept SMS (a landline for example), a phone call will automatically send
  • 2FA codes generated in Authy
  • 2FA codes generated in any other authenticator apps
  • In-app alerts
  • Messages (including scheduled Messages) that an institution admin creates in People for distribution to all end users
  • Conversations and related alerts
  • Any other in-app alert in Banno
  • 2FA codes delivered to international numbers

Configure

Short codes are enabled by default and cannot be disabled.

SMS messages

End users can receive the following SMS messages via the short code number:

Security code message
After tapping or clicking Send code in the Banno app, end users receive this message: [Institution name] security code: [unique-2FA-code] We will never ask for this code—don’t share it. [combination of characters] [hyperlinked unique-2FA-code]

The combination of characters (ex. m1BEiLPED7j@accounts.myinstitution.bank) and hyperlinked unique-2FA-code at the bottom of the SMS message is used for browser autofill features and designates the website it is allowed to be used on.

Opt out reply
If an end user texts STOP, CANCEL, END, QUIT, STOPALL, or UNSUBSCRIBE to the short code number, they receive this reply: You won’t receive additional SMS messages from your financial institution regarding your 2FA security code. To re-enroll at any point, text START. Msg and data rates may apply. 1msg/access.

Opt in reply
If a user texts START or UNSTOP to the short code number, they receive this reply: You have been re-enrolled to receive SMS messages fro your financial institution regarding your 2FA security code. Msg and data rates may apply. 1msg/access. Reply HELP for help and STOP to stop receiving these messages.

Help reply
If a user texts HELP or INFO to the short code number, they receive this reply: 2FA Security Code Messages: Please contact your financial institution for help signing in. You may also call or text 1-888-291-9631 Msg and data rates may apply. 1msg/access. Reply HELP for help and STOP to stop receiving these messages.

All messages sent
The short code only receives messages strictly related to Banno 2FA codes; no other communications, alerts, or messages will be sent via the short code.

Change Banno Apps settings

  • Settings
  • Security
  • 2-step verification

If an end user wants to change their 2FA settings in Banno Apps, the security menu allows users to edit their existing 2FA methods or add a new one. End users can also set a primary 2FA method that will be automatically highlighted whenever they receive a 2FA authentication prompt.

Change Enterprise settings

Within Banno Enterprise, you can control your institution’s 2FA verification methods in Banno People. You can also change 2FA settings on behalf of individual end users in their Security settings.

Because we consider changing 2FA options a high-risk change, an enterprise user will need to be in a group with 2FA enabled.

New device: Prove a user’s identity

Banno keeps tabs on the devices and browsers that are logging into user accounts by using device IDs1 and browser fingerprinting2. Whenever an end user attempts to login on a device that the API doesn’t recognize, they will be asked to prove their identity using 2FA. It’s just another security measure taken to protect the end user in the even that their credentials are compromised.

Banno Enterprise

Within Banno Enterprise, you can control your institution’s and end users’ 2FA settings. Because we consider changing 2FA options a high-risk change, an enterprise user will need to be in a group with 2FA enabled.

Customer Communication

2FA Customer Communication

Utilizing 2FA for Banno

It’s important your team is aware 2FA will be your biggest call driver at go live. End users who utilize modern apps are typically familiar with 2FA, but less experienced end users may struggle. To assist end users as best as possible, we suggest your customer/member care team be fully trained on Banno 2FA, utilize it themselves, and have the following information on this page.

The weakest point of protection for an end user is before they are signed up for 2FA. Once they activate 2FA it doesn’t matter what phone number they use—they are protected. We recommend minimizing the time frame between credentials being issued and 2FA enrollment. This is most vulnerable during a conversion.

For international end users, it’s also important to understand that—while they can receive 2FA codes via an international phone number when signing in—Banno cannot use international numbers to validate an end user’s 2FA enrollment (including if the end user’s enrollment is reset.

The gap allows a malicious actor who knows a user’s credentials enrolling them in 2FA using a number that the attacker controls. To combat this, we email the user throughout this process at the following points:

  • New device sign in
  • 2FA enrollment
  • Other authentication changes

Even if a malicious actor manages to act during this gap, the end user will be notified immediately and can reach out to your institution for assistance.

For the few institutions that are uncomfortable with this gap, it’s possible to enable core validation to ensure the 2FA number matches the phone number logged in your core. Core validation helps prevent an attacker from enrolling an unknown number, but it causes two problems:

  • Cash management users don’t have phone numbers to validate against, so core validation will not work for them.
  • End users often have valid reasons for using a phone number that does not match what’s on the core, such as having only home numbers logged in the core.

Projects are in progress to add more 2FA options using authenticator apps. Authenticator apps and security keys don’t have an analogous option for core validation, so core validation is not compatible with those further 2FA options. See the public-facing roadmap for information on additional 2FA options.

End user experience

Enrollment

When end users login to Banno for the first time from any platform, they’ll have to enroll in 2FA. As part of the enrollment, ends users provide their email and phone number. Unless the end user selects their device to be remembered by Banno Online, the 2FA phone needs to be accessible each time they login. They’ll also have to choose between four methods of receiving the verification code. We recommend end users receive a text via a mobile phone, but they can also choose to receive a phone call via a landline or a verification code through the Authy app or other authentication app. If the user sets up a new phone number or enters the incorrect number, admins can reset 2FA for users within the permissions section of the Banno portal. Once the user has enrolled, they will not have to re-enroll unless they or the institution chooses to reset their 2FA.

Phone call verification

If the end user selects to receive a phone call instead of a text message, they’ll receive the verification code in the form of a robocall. The robocall provides a single digit for the end user to enter on the phone. Then the robocall provides a seven-digit verification code for the end user to enter in the Banno App (Online or Mobile) they’re using. If the end user doesn’t enter the initial single digit, the verification code isn’t given nor is it left on a voicemail system. If the end user doesn’t answer the robocall, they’ll have to select to have the code re-sent. The robocall phone number may be listed as coming from anywhere in the U.S., because the number pulls from a pool of numbers that Authy controls.

Reset enrollment

End users can reset their own 2FA enrollment in both Online and Mobile by going to the security settings in their profile page. The institution can also reset 2FA by navigating to the end user’s profile in Banno People, clicking Security, then scrolling to 2-step verification and clicking Remove.

Codes

Doesn’t receive a code

If a care team receives a report of the user not receiving a code, it could be one of the following:

  • The main issue we see is the user requests receiving a code via SMS, but enters a landline number. If they report not receiving the code via SMS, and you’ve verified they’re not entering a landline number, instruct them to try another way and receive it via phone call.
  • If the user tries both methods to receive the code, reset and have them verify they entered the correct phone number.
  • If the phone number and method is correct, validate the user isn’t using a phone operating on a prepaid plan. Oftentimes, the money runs out and they no longer receive SMS until adding to the account balance.
  • The user reaches their max attempts. See the FAQ for more detail.
  • If all of the above is validated, the issue’s likely with the carrier.

Views an invalid code

A standard error return message will state, “Too many attempts. Try again later.” There are many reasons why end users might see invalid codes (or token errors). Below is a list common causes:

  • The most obvious reasons are typos (when retyping token codes) and expired tokens.
  • The device’s time isn’t synchronized with the server’s time. This occurs when end users travel. For example, end users need to ensure the device’s time is correct to fix the issue.
  • The account was reset.
  • For the Authy App: If a user resets the account within Authy, all Authy tokens produce invalid otps and the user needs to reinstall the Authy app to fix the issue.
  • End users removed their device. If a user removes a device, all Authy powered tokens from the removed device generate invalid otps. To fix this, the user reinstalls the Authy app.

These reasons might not be the source affecting your reported end users, but it’s a helpful reference.

In general, if the issue occurs inconsistently, we determine it’s a user error. However, if you see certain end users experiencing the issue more often, please direct them to Authy and include their phone numbers, emails and/or Authy ID. Authy happily investigates issues further.

Locked out

End users can lock themselves out of enrolling and verifying 2FA codes. The FAQ provides more details.

Switch profile

If an end user adds more profiles to their mobile app, they will need to set up 2FA for each of them. If the account has already enrolled in 2FA, they will need the verification code sent to that end user.

FAQ

How many invalid authentication attempts are permitted before the account is locked?
  • If the user verifies five wrong tokens in a minute, an error returns with the message, “Too many attempts. Try again later.” The user can retry after five minutes.
  • If the user verifies 20 wrong tokens in a day, an error returns with the message, “Too many attempts. Try again later.” The user can retry after 24 hours.
  • There’s not a manual reset for unlocking an end user. After a suspended user reaches their retry time limit (five minutes or 24 hours), successfully verifying a token removes the suspension.
  • Removing a user from the application and adding them again doesn’t remove the suspension.
Does Banno support 2FA for users with an international phone number?
In short, yes we do! That said, before we can enable 2FA support for international numbers, you’ll need to work with your Banno implementation coordinator or support rep to establish 2FA enrollment validation via email rather than via core validation. This change—which only affects the one-time validation step users complete during 2FA enrollment—is required due to known limitations that prevent Banno from validating international phone numbers against the core.
After a user receives an Authy code, how long is the code valid?
2FA tokens are generally valid for three to six minutes working around issues of time synchronization and drift. Tokens obtained using the app have a longer validity window for this reason, while SMS and voice requests are valid for exactly three minutes.
The user stops receiving SMS text after downloading Authy. How do they change back to receiving texts?
If a user has ever installed the Authy app and registered it with the same phone number as they enrolled in 2FA at Banno, Authy becomes the default code delivery platform. Other code delivery options can still be used by selecting Try another way at the code entry screen and selecting the delivery method they want to use.
What happens if the user uninstalls Authy?
Nothing will happen. Authy remembers phone numbers, although the user may need their 2FA enrollment with Banno reset so they can register again.
Can the user receive the code via email?
No, they can’t receive the code via email. According to NIST guidelines, which the FFIEC references regarding cybersecurity, email shouldn’t be used for out of band authentication.
What’s considered a high-risk action?
High-risk actions include the following:
  • Adding a bill payee
  • Adding an external transfer account
  • Changing the password
For high risk actions, why is a password required instead of receiving a 2FA code?
2FA is only used to log into the app. Re-entering the password provides an additional security mechanism. It helps ensure the authorized user utilizes the app and prevents an unauthorized user from hijacking an account.

Once logged into the app, using password entry prevents (for example) another individual who steals the user’s phone and attempts to create a payee. If they receive a 2FA code, the code comes to the very phone the unauthorized user’s on, and they create a new payee.

How can an institution investigate fraudulent activity with 2FA in play?
Examine the activity events in Banno People and find events initiating fraud—there’s quite a bit of data to review. Looking at the IP addresses and device information, compile information on the fraudulent user.

In most cases, the issue is one of the two following causes:

  • The authorized user gives away their 2FA code to someone else.
  • An unauthorized user gains direct access to the phone or device which generates the 2FA code and obtains it inappropriately.

We recommend the FI find the exact activity events initiating the fraud and discuss with the user, ensuring that neither of the above cases is true. If neither of the two causes occurred, we can help look into it further if needed. We’ve experienced occasions when end users told us they didn’t give away the code, but we later learned they did. However, it’s almost always one of the two causes above.

There are also fraud reporting features in Banno Reports:

  • Fraud report - potentially compromised end users
    • This report will indicate a user where a credential stuffing attacker may have correctly guessed the user’s password. 2FA is still in effect, but the account may warrant specific attention.
  • Fraud report - new end users with unverified 2FA enrollment
    • These are end users who enrolled in 2FA and the phone number they used is not on their core record. This report allows an FI to keep core validation turned off, but still manage the risk by reviewing these end users manually.
With core validation enabled on 2FA, which phone number do we validate against for CM end users?
This validates against the NTID CIF for the business. We generally don’t recommend this as it means all codes send to that one person, which is unmanageable. Upcoming Banno Business functionality will open up more options for core validation.

Additionally, we don’t recommend core validation specific for CM user validation or retail. We’ve seen more issues around this than the help/additional risk this protects. Many institutions see an influx around the core data not being current or correct, so they opt to disable.

A bank says there’s a long delay in getting the code via the automated voice call. End users think they didn’t receive it, but they didn’t wait long enough. Is that an issue you’re aware of?
When we experience this, it’s almost always a carrier issue and unfortunately outside our control.
A user logged in on their phone for the first time and successfully completed the 2FA process. They go home and log in on their laptop/desktop computer. Because they’re logging on a different device, will they go through the 2FA process again? OR will they log in using the new four digit PIN they already established on their phone?
The first time a user logins on each device, they’re prompted for 2FA. A user will be unable to enter their four digit pin into online banking and must use their username and password +2FA. A remember feature prevents the 2FA code from being required on each online login from the same device.
A user already logged in and completed the 2FA process on their phone and laptop. Using their login credentials, the user then logs in from their partner’s phone. Because it’s a new device, will the user go through 2FA again? Will it remember the three devices, so the user won’t run into that again as long as they log in from one of those devices?
The first time a user logins on each device, they’re prompted for 2FA. A remember feature prevents the 2FA code from being required on each online login from the same device.
A user uses their fingerprint or facial recognition to log in, and they forget their ID and password. When they first used the app, did they have to first complete the 2FA process in order to use biometrics? If so, where does Support reset and/or unlock the user’s NetTeller ID?
Before they set up biometrics, they authenticate for the first time with their credentials. You will reset/unlock end users the same as you do today with NT, because we’re using NT under the hood (NT BackOffice).
If a locked account doesn’t exist in Banno People, where is the account unlocked?
The account should be reset/unlocked via NetTeller BackOffice.

FAQ

Can an end user’s 2FA phone number be provided upon request?
For the user’s security, an end user’s phone number is hashed across all platforms and cannot be provided.
Can we override the institution’s 2FA setting for specific end users?
Yes! To change settings for a specific end user, navigate to the Security page for that end user.
Can we have an institution-specific 2FA short code number?
No, institution-specific short codes aren’t supported.
On some SMS 2FA codes, what’s the email address (ex. @online.tx.org) that displays?
Actually, this isn’t an email address but an an App hash. While the majority of devices don’t use an App hash, certain ones use it as part of 2FA and generating one-time codes sent by SMS. This allows us to support a higher number of different devices used by end users. You can checkout WebOTP API for more information on generating a one-time password (OTP).
How can we support an end user who is unable to use a phone for verification?
End users that for any reason are unable to use a phone for two factor authentication may use the Authy app to authenticate. Setup requires use of a phone, so assisting with initial setup should be supported at your institution’s local branches in case an end user is unable to gain assistance from a friend or family member. After initial setup, Authy allows authentication without use of a phone.
Can we enable 2FA over email?
If you want to enable 2FA over email, you will need to open a case with our support team and sign a waiver of liability.

  1. Device ID: A unique ID is issued to a device with every installation of Banno Mobile. That ID is presented with every login as a way for the system to associate the device with an authenticated user. ↩︎

  2. Browser fingerprinting: A method used to collect information about a user, like their operating system, language, and various other active settings. ↩︎

Related