Two-factor Authentication (2FA)
  • 5 Minutes to read
  • Dark
    Light
  • PDF

Two-factor Authentication (2FA)

  • Dark
    Light
  • PDF

Article summary

Two-factor authentication (2FA), also known as multi-factor authentication (MFA), is a security process that requires users to provide two different authentication factors to access an account or system. Typically, this involves something the user knows (for example, a password) and something the user possesses (for example, a mobile device or security token). 2FA enhances security by adding an extra layer of protection, making it more challenging for unauthorized individuals to gain access to sensitive information or accounts. 2FA is set up when enrolling in a Digital Banking account, where you specify a trusted email address, phone number, or authentication app (such as Google Authenticator) to receive verification codes. Each time you log in to your Digital Banking account, a verification code is sent to your trusted device. You enter the code to log in. If you do not receive the code, you can select Resend code to have the code sent to your trusted device again.

If a user is locked out of Digital Banking because they do not have access to their authentication device, and they do not have recovery codes, your staff can generate emergency backup codes for them from the Admin Platform. For instructions, go to Generate Backup Codes for Locked Users.

Configuring 2FA Options

The authentication methods shown to users are configurable by your financial institution. To do this, from the Admin Platform, go to Institution Settings > Permitted Two-factor Authentication Methods. For example, you can choose to remove the email authentication method and only allow users to add a phone number.  You can also choose to exclude the backup codes method for web users. Even if backup codes are excluded from this setting, your staff will still be able to generate backup codes for users and users will still be able to log in using backup codes they created previously or that have been generated by staff.

If the user has more than one enabled device, they

Add or Remove 2FA Devices

Users can add or remove trusted devices within our web and mobile apps. 

To access 2FA options on a web browser:

  1. Select the name in the upper right corner, then select Settings.


  2. Select the Security tab.


  3. In the two-factor authentication section, enabled devices are shown. Select Remove next to an enabled device to remove it. You must have at least one enabled device at all times.


  4. Select Add authentication device to add a new authentication method. Go to Authentication Methods for details on the available methods and next steps.


To access 2FA options on the mobile app:

  1. From the More menu on the bottom navigation bar, select Two-factor authentication.


  2.  Enabled devices are shown. Select Add another number to add a new mobile or landline phone, or select Remove next to an enabled device to remove it. You must have at least one enabled device at all times. Go to Authentication Methods for details on available methods and next steps.

    Note: In the mobile app, you can only add phone numbers as trusted devices. To add an authentication app, an email, or recovery codes, use the web app. 

Authentication Methods

There are four available authentication methods users can select.

  • An authentication app (e.g. Google Authenticator) – Use this method to enter verification codes generated by time-based one-time password (TOTP) apps, such as Google Authenticator, Duo Mobile, or Microsoft Authenticator. You can add this method via the Digital Banking web app only.
    After selecting An authentication app (e.g. Google Authenticator), users can scan the QR code that appears, enter the code generated by the app, and select Enable.


  • A mobile or landline phone – Use this method to receive verification codes by Short Message Service (SMS) text on a mobile phone or by voice call on a landline phone. You can add this method via the web app or mobile app. Texts will include the financial institution's short name for additional security and a better user experience. To customize the wording of the text message, go to Customize the SMS Message. Only U.S. phone numbers are supported (international phone numbers are not supported). Those without access to a U.S. phone number can add an authentication app, like Google Authenticator.
    After selecting A mobile or landline phone on web, or Add another number on mobile, enter a U.S. number and select Verify/Send code. Enter the code received and select Activate/Confirm phone.


  • The email address you have on file (web only) – Use this method to receive verification codes at the email address on file. This is the default method for authenticating users. You can add this method via the web app only.
    After selecting The email address you have on file, select Verify now, enter the code sent to the email address, and select Activate.


  • Recovery codes (web only) – When users cannot access any of their enabled devices and can't receive a two-factor authentication code, they can select Recovery codes to get 10 backup codes. You can add this method via the web app only. Each code can only be used once.
    On the page that appears, record the recovery codes and store them in a secure location. Select Activate these codes to start using them. See Using Recovery Codes for instructions.

Customize the SMS Message 

To mitigate the risk of fraud and provide a safer user experience, you can customize the wording in the SMS text message that users receive with their 2FA verification codes. To customize, go to the Admin Platform under Configurations > Institution Settings > Otp Twilio Verify Code Sms Message. The default language strongly discourages users from sharing their 2FA codes with unauthorized individuals. The default message is:
<FI Name>: DON'T share. Use code 123456 to verify your identity. We'll never call or text you to ask for this code. Call us if you didn't request it.

Using Recovery Codes

Once recovery codes are activated using the instructions above, if a user wants to log in to Digital Banking, but does not have their authentication device to receive the verification code, they can follow these instructions to use one of their recovery codes. Each code can only be used once.

  1.  Log in as normal to Digital Banking on the web or mobile apps.

  2. When prompted for a verification code, select Backup codes from the device list, and enter one of the saved recovery codes.


If a user is locked out of Digital Banking because they do not have access to their authentication device, and they do not have recovery codes, your staff can generate emergency backup codes for them from the Admin Platform. For instructions, go to Generate Backup Codes for Locked Users.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Narmi AI, facilitating knowledge discovery through conversational intelligence