Two-Step Verification (2SV)
A majority of sites and applications typically require the use of a username, as an identifier, and a password, as a primary authentication method. Depending on assessed risks and the sensitivity of data accessed through the login form, a more secure login posture may be required. A MultiKey authentication system provides the opportunity to configure multiple challenges for each required level of security. Rules can be implemented to skip specific challenges in defined scenarios. An example scenario might include logging in from a trusted device.
Two-step verification (2SV) is sometimes referred to as multifactor (MFA) or two-factor authentication (2FA). A password is considered a single factor because it is something the user knows. For a two-factor authentication system, the second factor must include at least two of the following:
- Something you KNOW: This is typically a personal identification number (PIN), a password, answers to secret or security questions, or a specific swipe pattern.
- Something you HAVE: This is typically something the user has in their possession. This could be a credit card verification code (CVC) from the back of the card, a device (computer or smartphone), or a hardware or software token.
- Something you ARE: This category is more complex and can include the biometric pattern of a fingerprint, iris scan, or voice sample.
By using a second factor (MFA), a potential compromise of a single security parameter still prevents access to the account.
Since 2010, our digital bank system has supported hardware and software tokens from OneSpan (formerly called Vasco). This second factor, something you “have”, provides a time-based one-time password (TOTP) that changes every 30-seconds. The system can be configured to require the TOTP during login or, for higher risk transactions, post user authentication (i.e., ACH, wire transfers). Most banks have deployed OneSpan tokens to only their business banking customers. When a bank administrator assigns a token to a customer, the customer is then required to authenticate using the TOTP. By design, there is no online option for the customer to opt-in or out. By contrast, after the 2SV permission is enabled for the customer, they have the option to setup and use the TOTP as a second factor.
Enabling 2SV within the Insite digital banking system requires a new user permission, allowing the user access to a 2SV option on both the online banking site and the mobile banking apps, under settings. The user has to install one of the supported TOTP mobile apps or desktop options. Any authenticator client that supports TOTP should work. We have tested the authenticators from Google, Microsoft, Authy and LastPass. There are also client options for installing the Google Authenticator (via Chrome extension) and Authy (Win, Mac and Linux) on a desktop computer. These software clients are typically available at no cost to the bank or the user.
On the Two-Step Verification settings page, there are setup instructions and links to the recommended mobile authenticator apps. The quick setup process requires the user to complete the following:
- Launch their authenticator app
- Add a new online account
- Scan the QR code or enter the key displayed on the screen
- Enter the TOTP into the form to complete setup
After the setup is complete (depending on the bank’s preferences on how the 2SV is required in the authentication process), the user is required to enter a six-digit TOTP during their next login. This process is supported within both the online site, as well as the mobile apps.
The key is in the Base32 numeral system. It uses a set of 32-characters, twenty-six upper-case letters A-Z and the digits 2-7. The digits “0” (zero) and “1” (one) have been eliminated as options readability for users, since a capital letter “O” and “I” can be misread as “0” (zero) and “1” (one). Digits “8” and “9” were left off, as only 32-characters are needed in a Base32 system.
There is no per user or per token cost, but there is a monthly fee based on asset size. Contact your Insite Sales Representative for more details.
About Insite Data Services
IDS data application hosting services combines secure and cost-effective core banking applications, enterprise-class servers and storage, and proven virtualization technology. IDS hosts all of the bank’s servers in secure data centers that use state of the art security systems including identity verification and biometric scanning. Insite Data Services also offers IDS On-Time, a full-service solution dedicated to back-office bank processing. These operations experts allow partnered banks to focus on their most important asset, their customers. For more information visit www.insitedataservices.com.