Authentication Enhancements for Online/Mobile Banking

In February 2022 CU*Answers technical teams met to brainstorm on high-level goals and priorities for new authentication and validation strategies. Here are some ideas from that meeting.

Multi-factor Priorities for Online Banking

  • MFA for making changes to email addresses and personal information (see more on this below)
  • MFA for using P2P (either enrollment and/or for initiating a transfer, still TBD)
  • MFA for password resets
  • MFA for logging in to desktop/mobile banking

Our plan is to make all of these configurable at the credit union level only. Because of their ability to mitigate fraud for the credit union, at this time we don’t plan to allow for a member opt in/out mechanism for these features.  In other words, if you turn them on, every member must use them.

Multi-factor Authentication vs. PIB Multi-layer Security

When we use the term “MFA” we are generally referring to the mechanism we introduced for first-time user activation in the 19.10 release, where a one-time activation code is sent via text or email to a number/address already on file. In most cases this is the method we will use to incorporate MFA into other functions.

Remember also that our PIB tool already allows members to activate/deactivate or add a confirmation code for high-risk transactions, such as making transfers and accessing bill pay.  We do plan to update the PIB wizard and add more functions down the road, as well.

In general, the idea would be to keep using PIB as the mechanism for individual online banking features, and use the MFA technique of sending a code via text/mail for logins and certain high-risk features that credit unions want to be able to mandate for all members.

Thinking About MFA for Logging In

Two very common questions we get from CUs are, “When are we going to get 2-factor for logging in?” and “My members are saying we broke their Robinhood (or Plaid, or Yodlee, or Mint…) account!” As we develop our MFA engine for use at login, here are some things to keep in mind if you’re thinking about requiring members to use this every time they log in:

  • Adding MFA will interfere with a member’s relationship with aggregators and other 3rd party FI apps.
  • Instead of fielding member calls about password resets, you’ll be fielding calls about “how come I didn’t get my code?”
  • Since the phone number or email address used for MFA verification must already be on file, make sure to consider your personal info update strategy (how do members initiate changes to their text-capable phone number or email address?) as a component of your login strategy.
  • Your credit union’s expense for one-way text messages could increase substantially, given that the majority of your day-to-day logins would require a text message to send the code.

Projects Already In the Works

Multi-factor Authentication for Email/Personal Info Changes

With the new look for It’s Me 247, the only place members can change their email address is via the personal info update feature. For CUs who use the “reviewed” option to review incoming personal info change requests, this means members who need to change their email address might not be able to finish enrolling in services such as bill pay or eStatements until you review and confirm the change in CU*BASE.

The next project we’ll be slating is to incorporate the MFA functionality into the personal info update process. This will be an optional feature credit unions can activate, and if a member doesn’t already have an email address or text-capable phone number on file would still need to contact the CU directly.

Status as of February 2022: With the 21.12 release we implemented underlying architecture so we can plug in the two-factor feature (text/email confirmation code) where needed. Design specs are now being written to apply this authentication to the personal information update feature in It’s Me 247

MACO for MOP: Digital Identity Proofing

MACO for MOP illustrationAs introduced during the 2021 CEO Strategies briefing, we are currently working on a project to add Daon’s digital identity proofing  functionality to our membership opening process (MOP). In a nutshell, Daon’s IdentityX Onboarding feature uses facial recognition to compare a photo ID image to a selfie taken by the new member.

As a bonus, our integration will also record the photo ID image in CU*Spy, as well as secure a 1-year MACO license for that member to use for mobile app authentication.

Status as of January 2022: Project #55913 is currently in development.


Your chefs for this recipe: Dawn Moore and Brian Maurer

February 24, 2022

2 Responses to “Authentication Enhancements for Online/Mobile Banking”

    • Dawn Moore

      If you are referring to MFA for logging in, we’re currently still in the research phase, looking at adding Multi-Factor Authentication (MFA) as an offering for our suite of online/mobile banking products. Our development and security teams are researching with consultants, vendors and insurers to outline the requirements for implementation. That said, there is no hard date yet for release to clients. We expect the research part of the project to conclude sometime during our fiscal year 2022. Our primary consideration in researching this project is to implement a solution that is compliant with emerging standards that will allow credit unions to pass their examinations and audits. Updates will be posted on this Kitchen page as they become available. Geoff will also be talking about this at this June’s Leadership Conference, so I hope you’ll join us then!


Leave a Comment

* denotes required fields
  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Check Out the New Recipes We’re Cooking in the Kitchen!

Check Out the New Recipes We’re Cooking in the Kitchen!

Have you visited the Kitchen lately?  If not, take a look at our newest projects: Card Activity Optics Credit Card Statement Enhancements Introducing Biz Watch for ACH: ACH Controls for Business Memberships Max Earnings Sweeps for Business Members Positive Pay Cashier Services (for Inhouse Checks) RDC Enrollment via CU*BASE Summary Statements for Business Credit Cards… Read more »

Sep 29, 2020

Check Out the New Recipes We’re Cooking in the Kitchen!

Check Out the New Recipes We’re Cooking in the Kitchen!

Have you visited the Kitchen lately?  If not, take a look at our newest projects: Accounts Payable Enhancements Creating an Engine for Predictive Retailing (aka “Nostradamus”) Deposit Hold Enhancements Escrow Analysis Enhancements Expanding Screen Sizes for CU*BASE GOLD Mobile First Transaction Limits for Express Tellers Each of these recipes includes a place to provide comments,… Read more »

Jul 14, 2020