Support Sign in

Security FAQ

The below FAQ items apply to security as a whole. Deeper questions on a specific topic may be found on that topic’s documentation.

When an end user chooses how to receive a 2FA code, one of their options is to select “Text message/SMS (2FA program)”. Can an institution remove “2FA program” or customize the text?
The text cannot be removed or edited, because cell phone carriers require listing a program name.
How does default 2FA affect existing users or users with unsupported 2FA methods configured?
If a user’s current 2FA enrolled method doesn’t comply with the newly required security level, they are prompted during login to enroll in a supported method. The user still verifies existing, unsupported methods, but those methods are no longer available for 2FA challenges and can be removed by the user in their security settings. This ensures that only compliant methods are used.
Can financial institutions configure 2FA settings for different user types?
Yes. Financial institutions can set default 2FA methods for business and retail users based on user type. These configurations are done through the Admin panel. Business users may have different requirements compared to retail users.
Is there a way to override the default security levels for specific users?
Yes. A financial institution can override the default security level for individual users if they require higher or lower security than the default for their user type. This is especially useful for users with specific needs.
How does step-up authentication (High Risk Actions) work with default 2FA?
For step-up authentication, FIs can configure different requirements at high-risk points. For example, a business user may be required to authenticate with either password + passkeys or 2FA + passkeys to complete a high-risk transaction. This ensures added security during critical operations.
What are the default 2FA enrollment options for new and existing users?
  • New Users: New users can be prompted to set up their 2FA during onboarding based on the security level required for their user type.
  • Existing Users: Existing users will be prompted to update their 2FA methods if they don’t match the required security level. They will be presented with compliant options and guided through the enrollment process.
How does the account recovery process work?
For account recovery, users are required to authenticate with one of their enrolled 2FA methods. When a user attempts to recover their account and none of their enrolled methods are supported, they should not be allowed to complete recovery unless
  1. Their security level supports SMS (Standard) AND
  2. The phone number they are enrolling in SMS exists on their CIF (core) OR their Google Identity (UIS) user.
How is default 2FA configured in People?
Financial institution employees with applicable permissions can configure the 2FA defaults per user type (business/retail) and enforce specific security levels. Banno People allows institutions to select security levels for each user type and set user-level overrides. The financial institution is not be able to toggle on/off individual 2FA methods, with the exception of Symantec (Standard and Enhanced) and Email (Standard).
How is default 2FA configured in Identity App (UIS)?
Financial institution employees with applicable permissions can configure the 2FA defaults by enforcing specific security levels. Identity allows institutions to select security levels for user-level overrides. Symantec (Standard and Enhanced) and Email (Standard) toggles appear only in Identity for institutions that have both People and Identity App turned “on”. It is recommended to only use the Identity App when it is required (i.e. Banno + UIS Users).
Can a financial institution use Symantec tokens as an authentication method?
Yes, Symantec tokens can be used as an authentication method. Please note, however, that they are a separate cost/contract and are not enabled by default. Symantec is only available for Standard and Enhanced security levels.
Is core validation supported?
Core validation to a phone number on the customer information file (CIF) is no longer supported and will be deactivated in the future. We encourage you to use a one-time passcode (OTP) verification at initial 2-step enrollment to an email address on the core if your institution desires. This is separate from the Email 2FA method used for login and recovery and can be found in its own navigation pane under People > Security Drop-Down > Initial 2-Step Enrollment.