Two-factor Authentication (2FA)

  • 5 minute(s) read

Two-factor authentication (2FA), or multi-factor authentication (MFA), is a security process requiring users to provide two different authentication factors to access an account or system. Typically, this involves something the user knows (for example, a password) and something the user possesses (for example, a mobile device or security token). 2FA enhances security by adding an extra layer of protection, making it more challenging for unauthorized individuals to gain access to sensitive information or accounts. Users set up 2FA when enrolling in a Digital Banking account, where they specify a trusted email address, phone number, or authentication app (such as Google Authenticator) to receive verification codes. When they log in to their Digital Banking account, a verification code is sent to the trusted device, and they enter the code to log in. If they do not receive the code, they can select Resend code to have the code sent to their trusted device again.

If a user is locked out of Digital Banking because they do not have access to their authentication device and do not have recovery codes, your staff can generate emergency backup codes for them from Narmi Command. For instructions, go to Generate Backup Codes for Locked Users.

Account verification prompt with code entry and option to remember device.

Configuring 2FA Methods

The authentication methods shown to users are configurable by your financial institution. To do this, from Narmi Command, go to Institution Settings > Permitted Two-factor Authentication Methods. For example, you can remove the email authentication method and only allow users to add a phone number. You can also choose to exclude the backup code method for web users. Even if you exclude backup codes from this setting, your staff can still generate backup codes for users. Users can still log in using backup codes they created previously or that have been generated by staff.

Overview of permitted two-factor authentication methods including app, phone, and email options.

Add or Remove 2FA Devices

Users can add or remove trusted devices within our web and mobile apps. 

To access 2FA options on a web browser:

  1. Select the name in the upper right corner, then select Settings.

    User menu with options for profile management. The Settings option is highlighted.


  2. Select the Security tab.

    Security settings for transaction alerts and two-factor authentication options displayed on the screen.


  3. Enabled devices display in the two-factor authentication section. Select Remove next to an enabled device to remove it. You must have at least one enabled device at all times.

    Two-Factor Authentication settings showing enabled devices and status information.


  4. Select Add authentication device to add a new authentication method. Go to Authentication Methods for details on the available methods and next steps.
    Two-Factor Authentication settings showing enabled devices and options to add authentication.


To access 2FA options on the mobile app:

  1. From the More menu on the bottom navigation bar, select Two-factor authentication.

    Mobile menu options for security settings including two-factor authentication and Face ID.


  2.  Enabled devices are shown. Select Add another number to add a new mobile or landline phone, or select Remove next to an enabled device to remove it. You must have at least one enabled device at all times. Go to Authentication Methods for details on available methods and next steps.
    Note: The mobile app only allows you to add phone numbers as trusted devices. Use the web app to add an authentication app, an email, or recovery codes. 

    Two-factor authentication settings showing options to add or remove phone numbers.

Authentication Methods

There are four available authentication methods users can select.

  • An authentication app (e.g., Google Authenticator) – Use this method to enter verification codes generated by time-based one-time password (TOTP) apps, such as Google Authenticator, Duo Mobile, or Microsoft Authenticator. You can add this method only via the Digital Banking web app.
    After selecting An authentication app (e.g., Google Authenticator), use the authentication app to scan the QR code that appears. Enter the code generated by the authentication app, enter an optional nickname, and select Enable.

    Instructions to scan a QR code and enter the generated code from an app.


  • A mobile or landline phone – Use this method to receive verification codes by short message service (SMS) text on a mobile phone or by voice call on a landline phone. You can add this method via the web app or mobile app. Texts will include the financial institution's short name for additional security and a better user experience. To customize the wording of the text message, go to Customize the SMS Message. Only U.S. phone numbers are supported (international ones are not). Those without access to a U.S. phone number can add an authentication app, like Google Authenticator.
    After selecting A mobile or landline phone on web, or Add another number on mobile, enter a U.S. number and select Verify/Send code. Enter the code received and select Activate/Confirm phone.

    Two-Factor Authentication settings showing enabled devices and options to add a phone.


  • The email address you have on file (web only) – Use this method to receive verification codes at the email address on file. This is the default method for authenticating users. You can add this method only via the web app.
    After selecting The email address you have on file, select Verify now.
    Email verification prompt requesting user to verify their email address for confirmation.


    Enter the code sent to the email address, and select Activate.
    Input field for code entry with an 'Activate' button below it.

  • Recovery codes (web only) – When you cannot access any of your enabled devices and can't receive a two-factor authentication code, you can select Recovery codes to get 10 backup codes. You can add this method only via the web app. You can use each code only once.
    On the page that appears, record the recovery codes and store them in a secure location. Select Activate these codes to start using them. See Using Recovery Codes for instructions.
    Instructions for saving recovery codes for two-factor authentication in digital banking.

Customize the SMS Message 

To mitigate the risk of fraud and provide a safer user experience, you can customize the wording in the SMS text message that users receive with their 2FA verification codes. To customize, go to Narmi Command under Configurations > Institution Settings > Otp Twilio Verify Code Sms Message. The default language strongly discourages users from sharing their 2FA codes with unauthorized individuals.

The default message is:
<FI Name>: DON'T share. Use code 123456 to verify your identity. We'll never call or text you to ask for this code. Call us if you didn't request it.

Using Recovery Codes

Once recovery codes are activated using the instructions above, if a user wants to log in to Narmi Banking but does not have their authentication device to receive the verification code, they can follow these instructions to use one of their recovery codes. You can use each code only once.

  1.  Log in as usual to Narmi Banking on the web or mobile apps.

  2. When prompted for a verification code, select Backup codes from the device list and enter one of the saved recovery codes.
    Account verification options with choices for backup codes or email delivery.

If a user is locked out of Digital Banking because they do not have access to their authentication device and do not have recovery codes, your staff can generate emergency backup codes for them from Narmi Command. For instructions, go to Generate Backup Codes for Locked Users.

Configuring Elevated Authentication

With Elevated Authentication, users must verify their identity before performing key actions, such as sending ACH payments and wires or updating their email, phone number, or username. Additionally, your institution can configure how long users remain in Elevated Authentication Mode before they are required to authenticate again. Go to Elevated Authentication for more information.

Related articles