Support Sign in

2FA - Frequently Asked Questions

Learn more about the latest with 2FA and related topics by browsing our most-asked questions and answers.

FAQ: General

Can an end user’s 2FA phone number be provided upon request?
For the user’s security, their phone number is hashed across all platforms and cannot be provided.
Can a financial institution’s 2FA setting for specific end users be overriden?
Yes. To change settings for a specific end user, navigate to the Security page for that user.
Can financial institutions still opt for an institution-specific 2FA short code number?
Yes, financial institutions have the option to contract for an ENS dedicated short code, which will establish a unique short code to deliver all alerts, including 2FA login codes.
On some SMS 2FA codes, what’s the email address (ex. @online.tx.org) that displays?
Actually, this isn’t an email address, but an App hash. While the majority of devices don’t use an App hash, certain ones use it as part of 2FA and generate one-time codes sent by SMS. This makes it possible to support a higher number of different devices used by end users. Visit WebOTP API for more information on generating a one-time password (OTP).
Can 2FA be enabled over email?
Yes. In order to enable 2FA over email, financial institutions will need to open a case with Support and sign a waiver of liability.

FAQ: Passkeys

Can passkeys be disabled?
No, passkeys cannot be disabled because they’re part of the Banno Online login experience.
What if an end user on a desktop wants to “Use a Passkey on a Different Device” to authenticate, but has difficulty logging in to Banno Online?
If an end user has difficulty logging into Banno Online when authenticating via “Use a Passkey on a Different Device”, they need to check that both devices have Bluetooth enabled. The different device also needs to be placed within Bluetooth range of the desktop. If the issue occurs repeatedly, reach out to a support representative for more help.
What if an end user has trouble registering their device and an “Error registering passkey” message displays in the app?
If an end user has trouble registering their device and receives an error message, they need to log out of Banno Online, log back in, and attempt registering a passkey again. If the issue persists, reach out to a support representative for more help.
Can end users still log in using their password?
Yes, end users can still log in to Banno Online using their password and completing 2FA.
Does Banno store end user biometric information?
No, apps and websites - including the Banno Digital Platform - do not store end users’ biometric information.
Where can institutions and end users get support for using passkeys?
Content provided by the FIDO Alliance and the FAQ in this Passkeys doc offer valuable information for learning about passkeys. Here are a few more resources:

Banno supports registering and unregistering a passkey on a device, and we enable autofill functionality for passkey managers. For all other passkey support, please refer to documentation provided by the end user’s passkey provider as support by Apple and Google are ongoing.

FAQ: Account Locking and Codes

How many invalid authentication attempts are permitted before the account is locked?
There are a variety of account-locking scenarios that can occur depending on how many invalid authentication attemps are made:
  • If the user verifies five wrong tokens in a minute, an error returns with the message, “Too many attempts. Try again later.” The user can retry after five minutes.
  • If the user verifies 20 wrong tokens in a day, an error returns with the message, “Too many attempts. Try again later.” The user can retry after 24 hours.
  • There’s no manual reset for unlocking an end user. After a suspended user reaches their retry time limit (five minutes or 24 hours), successfully verifying a token removes the suspension.
  • Removing a user from the application and adding them again doesn’t remove the suspension.
Does Banno support 2FA for users with an international phone number?
Yes, Banno supports 2FA for users with an international phone number. That said, 2FA support for international numbers can be enabled, financial institutions and users will need to work with their Banno implementation coordinator or support rep to establish 2FA enrollment validation via email rather than via core validation. This change – which only affects the one-time validation step users complete during 2FA enrollment – is required due to known limitations that prevent Banno from validating international phone numbers against the core.
Can users receive the code via email?
No, users can’t receive the code via email. According to NIST guidelines, which the FFIEC references regarding cybersecurity, email shouldn’t be used for out of band authentication.
What’s considered a high-risk action?
Visit this page to learn more about what’s considered a high-risk action.
For high risk actions, why is a password required instead of receiving a 2FA code?
2FA is only used to log in to the app. Re-entering the password provides an additional security mechanism by helping ensure the authorized user utilizes the app and prevents an unauthorized user from hijacking an account.

Once logged in to the app, for example, using password entry would protect the user in the event that another individual steals their phone and attempts to complete an action that’s deemed high risk.

How can a financial institution investigate fraudulent activity with 2FA in play?
To investigate fraudulent activity with 2FA in play, they need to examine the activity events in Banno People and find events initiating fraud - there’s quite a bit of data to review. Looking at the IP addresses and device information, the financial institution can then compile information on the fraudulent user.

In most cases, the issue is caused by one of the following:

  • The authorized user gives away their 2FA code to someone else.
  • An unauthorized user gains direct access to the phone or device which generates the 2FA code and obtains it inappropriately.

It’s recommended that the financial institution find the exact activity events initiating the fraud and discuss with the user, ensuring that neither of the above cases is true. If neither of the two causes occurred, contact a support representative for help investigating the issue further. Typically, one of the two possibilities mentioned previously is the culprit.

There are also fraud reporting features in Banno Reports:

  • Fraud report - potentially compromised end users: This report will indicate a user where a credential stuffing attacker may have correctly guessed the user’s password. 2FA is still in effect, but the account may warrant specific attention.
  • Fraud report - new end users with unverified 2FA enrollment: These are end users who enrolled in 2FA and the phone number they used is not on their core record. This report allows a financial institution to keep core validation turned off, but still manage the risk by reviewing these end users manually.
With core validation enabled on 2FA, which phone number is validated aainst for Cash Management end users?
This validates against the NTID CIF for the business. This is generally not recommended, as it means all codes send to one person, which is unmanageable. Upcoming Banno Business functionality will open up more options for core validation.

Additionally, core validation specific for Cash Management user validation or retail is not recommended. More issues have occurred around this than the help/additional risk this protects. Many financial institutions see an influx around the core data not being current or correct, so they opt to disable.

A financial institution says there’s a long delay in getting the code via the automated voice call. End users think they didn’t receive it, but it simply hasn’t arrived yet. Is this a known issue?
When end users experience this, it’s almost always a carrier issue and unfortunately outside Jack Henry’s ability to control.
SCENARIO: A user logged in on their phone for the first time and successfully completed the 2FA process. Then, they went home and logged in on their personal computer. Because they’re logging on a different device, will they go through the 2FA process again, or will they log in using the new four digit PIN they already established on their phone?
The first time a user logs in on each of their devices, they will be prompted for 2FA. A user will be unable to enter their four digit pin into online banking and must use their username and password in addition to 2FA. A remember feature prevents the 2FA code from being required on each online login from the same device.
SCENARIO: A user that has already logged in and completed the 2FA process on their phone and laptop logs in fron their partner’s phone using their login credentials. Because it’s a new device, will the user go through 2FA again? Will it remember all three devices?
The first time a user logins on each device, they will be prompted for 2FA. A remember feature prevents the 2FA code from being required on each online login from the same device.
SCENARIO: A user uses their fingerprint or facial recognition to log in and subsequently forgets their ID and password. When they first used the app, did they have to first complete the 2FA process in order to use biometrics? If so, where does Support reset and/or unlock the user’s NetTeller ID?
Before end users set up biometrics, they authenticate for the first time with their credentials. Financial institutions will reset/unlock end users the same as they do today with NetTeller.
If a locked account doesn’t exist in Banno People, where is the account unlocked?
The account should be reset/unlocked via NetTeller BackOffice.

FAQ: FIDO

What is the fundamental difference between hardware-bound FIDO2 credentials (like YubiKeys) and software-bound FIDO2 credentials (like passkeys)?
Hardware-bound FIDO2 credentials, such as YubiKeys, store cryptographic keys directly on a physical device. This means physical possession of the device is required for authentication, offering a high level of security by making it difficult for attackers to steal credentials remotely. They’re typically connected via USB, Bluetooth Low Energy (BLE), or Near Field Communications (NFC).

In contrast, software-bound FIDO2 credentials, often referred to as passkeys, store the cryptographic keys within a software application or a platform’s built-in authenticator (e.g., operating system like Windows Hello or a password manager like 1Password). These passkeys can often be synced across multiple devices via cloud accounts (e.g., iCloud Keychain, Google Password Manager), offering greater convenience and user friendliness as they don’t require a separate physical token. While both utilize the FIDO2 standard, the key distinction lies in where the authentication credential is securely stored and managed.

How do FIDO2 and Universal 2nd Factor (U2F) relate to each other, and what is the current terminology trend?
FIDO2 is the overarching standard that includes various elements, one of which is “discoverable/resident credentials,” commonly known as passkeys. Universal 2nd Factor (U2F) is an older, open standard that laid the groundwork for strengthening and simplifying two-factor authentication (2FA) using specialized USB, NFC, or BLE devices. U2F is considered a predecessor to FIDO2.

Following the FIDO Alliance’s “trend,” “Passkey” is now the preferred umbrella term. This term encompasses both cross-platform (roaming) authenticators, which are essentially what were previously called FIDO2 security keys or device-bound FIDO2 credentials (like YubiKeys), and platform/app-bound authenticators (like Microsoft or Google Authenticator). Therefore, while U2F was a specific standard, FIDO2 is a broader framework, and “Passkey” is the modern, encompassing term for FIDO2-based authentication.

Can a FIDO2 authenticator function as both a 2FA method and a passwordless login option?
Yes, whether a FIDO2 authenticator (or passkey) functions as solely 2FA or enables full passwordless sign-in depends on the implementation by the service provider. Traditionally, 2FA implementations using security keys (like U2F) didn’t create “discoverable credentials” and often didn’t require a PIN, as they were used in conjunction with a password.

However, FIDO2 allows for more flexible configurations. A service can be set up to require a password plus the passkey (which effectively becomes a multi-factor authentication, potentially even 3FA if a PIN is also required by the passkey). Conversely, passkeys are increasingly used for full passwordless login, replacing the need for a traditional password entirely.

Why might a user be able to save a passkey from one service (e.g., passkeys.io demo) on their Windows 11 PC but not a “security key” from another (e.g., 1Password for 2FA login), even if both technically use FIDO2?
This discrepancy arises from how different service providers implement and categorize FIDO2 credentials, as well as the specific capabilities they enable. While both might leverage the underlying FIDO2 technology, the user experience and storage options can vary.

A “security key” offered by a service for 2FA might be designed as a non-discoverable credential, meaning it’s primarily intended for use with a physical hardware token (like a YubiKey) and might not be storable directly as a platform authenticator on the Windows 11 PC.

Conversely, a “passkey” from a demo site like passkeys.io is likely set up to generate a discoverable/resident credential that the Windows 11 operating system can natively store and manage as a platform authenticator. This allows for a more seamless, device-bound experience. The difference often lies in the specific FIDO2 features a service chooses to utilize and how they integrate with platform-level authenticators. For instance, 1Password initially called their 2FA option a “security key,” which likely referred to the use of a physical U2F key, while later supporting native Windows 11 Passkeys for passwordless unlock.

What are the key advantages of FIDO2 authentication, especially in combating phishing attacks?
FIDO2 authentication offers significant advantages, particularly in its resistance to phishing attacks. Unlike traditional one-time passwords (OTPs) generated by apps or sent via SMS, which can be intercepted by phishers, FIDO2 keeps credentials “locked to the device.” This means that even if an attacker manages to trick a user into clicking a malicious link, they cannot simply steal the authentication token because it is cryptographically bound to the user’s authenticating device or hardware key.

With FIDO2, authentication involves a challenge-response mechanism using public-key cryptography, where the user’s unique device key verifies their identity without transmitting sensitive information that could be phished. This “something you have” factor, especially when coupled with a “something you are” (biometrics like fingerprint or Face ID) or “something you know” (PIN), makes FIDO2 highly phishing-resistant and a far more secure alternative to easily foiled methods.

How does Symantec VIP integrate with FIDO/FIDO2 authenticators, and what types of FIDO authenticators does it support?
Symantec VIP is a cloud-based, strong authentication service that integrates FIDO/FIDO2 authenticators to enhance user security. It allows users to register and authenticate using FIDO-enabled authenticators through its MyVIP portal or via specific APIs.

Symantec VIP supports two main types of FIDO authenticators:

  • Roaming FIDO authenticators (referred to as “security keys” in VIP): These are typically physical USB-based devices, like YubiKeys, that authenticate over USB, Bluetooth Low Energy (BLE), or Near Field Communications (NFC). They represent the “possession” factor.
  • Platform FIDO authenticators (referred to as “biometrics” in VIP): These are embedded directly into the user’s device, such as Fingerprint (e.g., Windows Hello Fingerprint, macOS Touch ID) or Face ID (on iOS). These leverage the device’s built-in biometric capabilities for authentication.

By enabling FIDO in the VIP Manager, organizations can offer these phishing-resistant options to their users for both registration and sign-in processes, often replacing or augmenting traditional password-based logins.

What is Symantec VIP, and how does it contribute to identity security within an enterprise’s integrated cyber defense strategy?
Symantec VIP (Validation and ID Protection) is a secure, reliable, and scalable authentication service that provides risk-based and multi-factor authentication (MFA) for various types of users within an organization. It plays a crucial role in an integrated cyber defense strategy by strengthening identity security, which is one of the four key attack points Symantec aims to protect (Endpoint, Network, Information, and Identities).

Symantec VIP helps prevent fraudulent access, session hijacking, and data breaches by:

  • Risk-based authentication: Transparently collecting data and assessing risk using attributes like device identification, geolocation, user behavior, and threat intelligence from the Symantec Global Intelligence Network.
  • Multi-factor authentication: Supporting a broad range of authenticators, including Push notifications, SMS or Voice OTP, FIDO U2F, and Fingerprint Biometrics (which includes FIDO2 platform authenticators).
  • Compromised device denial: Denying access to compromised devices before they can attempt authentication.
  • Self-service provisioning: Offering an intuitive portal for users to manage credentials, reducing help desk costs.

By seamlessly connecting trusted users to trusted applications and preventing unauthorized access, Symantec VIP is fundamental to securing digital relationships and protecting business assets against evolving cyber threats.

How do hardware tokens like the Symantec VIP card and YubiKeys compare to software-based authenticator apps or passkeys for multi-factor authentication?
Hardware tokens like the Symantec VIP physical card or YubiKeys offer a distinct advantage in terms of physical security and phishing resistance.

The Symantec VIP card, for instance, generates a randomized, time-limited code, similar to an OTP app, but it’s a physical device that must be possessed.

YubiKeys go further by using public-key cryptography based on FIDO standards, requiring a physical touch or insertion for authentication, making them highly resistant to remote phishing. These hardware tokens generally don’t require client software or drivers and are often durable, making them convenient to carry.

In contrast, software-based authenticator apps (like the Symantec VIP Access app) generate OTPs on a device (phone, PC). While more convenient than SMS codes, they are still susceptible to sophisticated phishing attacks where the OTP can be intercepted if the user is tricked into entering it on a fake site.

Passkeys, while software-bound, aim to mitigate this by leveraging platform authenticators (e.g., biometrics on a phone or computer) and FIDO2’s phishing-resistant design, which ties the credential to the specific device or platform.

The main trade-off is often between the ultimate security of physical hardware (especially FIDO-based keys) and the convenience and cross-device syncing capabilities offered by software-bound passkeys or apps. While an app might work on multiple devices, a physical VIP card often limits a user to registering only that specific ID.