When users perform critical actions in Narmi Banking, like sending payments or updating their personal information, your institution can require an additional layer of security called Elevated Authentication. This feature requires users to complete two-factor authentication (2FA) for critical actions, like a one-time code sent to their phone or email, which helps protect against fraud and keeps sensitive account information secure. Additionally, your institution can configure the duration for which users remain in Elevated Authentication Mode before they are required to authenticate again.
Elevated Authentication vs. App Login
Elevated Authentication is separate from the standard login process. Even if users have biometrics (like a fingerprint or face scan) enabled for their initial mobile app login, they will be required to re-authenticate with either biometrics or 2FA for actions that require elevated permissions.
Additionally, once a user authenticates for an elevated action, that permission does not reset upon logging out of the web or mobile app as long as the Elevated Authentication Mode Duration is not exceeded. For example, your institution has set the Elevated Authentication Mode Duration to 10 minutes, and a user logs into Narmi Banking and authenticates for an external transfer. If they can log out of Narmi Banking and log back in within 10 minutes, they do not have to re-authenticate to perform another external transfer.
Biometric Authentication
For users who have biometrics set up on their mobile device, Elevated Authentication uses biometric verification instead of 2FA. If a biometric attempt fails twice, the mobile app will automatically fall back to 2FA via SMS and email.
To enable elevated biometrics (or sudo mode biometrics) for your institution, please contact your Narmi Relationship Manager.
Enable or Disable Elevated Authentication
To turn Elevated Authentication on or off, go to Narmi Command under Configurations > Institution Settings > Features Requiring Elevated Authentication.
Select the box next to each action that should require Elevated Authentication:
ach_payments – When a user makes an ACH payment (Business only)
add_external_account – When a user links an external account in their Narmi Banking Settings under Linked Accounts (Consumer and Business)
add_member – When adding a new member for member-to-member transfers (Consumer and Business)
address_change – When changing addresses in Narmi Banking settings (Consumer and Business)
email_change – When changing the email address in Narmi Banking settings (Consumer and Business)
external_transfers – When a user makes an ACH transfer to an external account (Consumer and Business)
password_change – When changing the password in Narmi Banking settings (Consumer and Business)
phone_change – When changing the phone number in Narmi Banking settings (Consumer and Business)
sensitive_card_info – When viewing the card number, expiration date, and CVV in Narmi Banking card management (Consumer only)
sensitive_user_info – When a third-party service or integration attempts to retrieve the user’s date of birth and Social Security Number through the Narmi Admin API’s
/me/sensitiveendpoint. For more information, please visit our API documentation.username_change – When changing the username in Narmi Banking settings (Consumer and Business)
wires – When making a wire transfer (Consumer and Business)
Configure Elevated Authentication Mode Duration
By default, after selecting a 2FA verification method, a user remains in Elevated Authentication Mode for 600 seconds, allowing them up to 10 minutes to receive and enter their authentication code before they are required to authenticate again.
Your institution can adjust this duration in Narmi Command under Configurations > Institution settings > Elevated Authentication Mode Duration. This setting should be at least 200 seconds (3.3 minutes) to ensure users have enough time to receive and enter their authentication code.