Magic Online Banking

MFA

Multifactor Authentication Procedures

After logging in from your mobile device, you will be prompted to begin the Multifactor Authentication procedure (MFA).

MFA Samples

  • If you select “Text me”, depending on the carrier, you will receive the text within seconds. A passcode with instructions will complete the MFA process.
  • If you select "Call me”, a verification call will made to the listed phone number associated with your mobile device. You will be instructed to press 1 to confirm the login.
  • Once the MFA procedure has been completed, you will be presented with a success screen.
  • You are now ready to bank in confidence and assurance that your account has been successfully authenticated.

FAQs on Mobile Authentication

How is it really multifactor authentication if the passcode is sent to the same device?

  • Multi-factor authentication gets its name because there are multiple methods of authentication, to further reduce the risk of fraudulent attacks, both remote hacking attempts and local phone theft. The second factor of authentication that we are adding to mobile further reduces the risk of remote fraudulent attacks, because the phone is "something the user has" and the login has to be verified with the specific phone that is tied to the user's account with the phone in the user's hand at time of login. If a phone is stolen and the thief attempts to log in, then the attack is no longer remote. At this point the thief still must initially get past the username and password. The "something the user knows" factor (username and password through the app) is one channel of communication & authentication, while the "something the user has" factor (passcode through SMS or Voice) is another channel of communication & authentication. Thus, multiple channels mitigate the risk of malicious remote and local attacks.
  • Additionally, remember, a user can use a different phone number than their mobile phone number if they choose. Hence, they could enter their landline or office number to authenticate their mobile device to further reduce risk.
  • Finally, if a user does have their phone stolen, the best defense will always be to call the carrier and have it deactivated and its data remotely wiped, just as users do today, as there is more data on a phone that a user will want to protect than one particular banking app (such as contacts and email, for example). Additionally, the user can also utilize other iPhone & Google native app capabilities of remotely locking or wiping the phone.

Will I be able to change the phone number(s) that I have registered to use for authentication?

  • You will be able to change your registered phone number(s) within Online Banking, but there are currently no settings that allow this to be done within Mobile/Tablet Apps. However, during first-time use of multi-factor authentication, you will be able to change the phone number(s) they use for authentication.

If I don't have any registered phone numbers, will I be able to log in?

  • Yes, you can use the same approach as the authentication setup in Online Banking. During the MFA process, you will be prompted to enter a phone number if you are a Mobile or Tablet Apps-only user and hasn’t registered a phone number for use with Online Banking. You will use this phone number for future login attempts on other devices.

What happens if a user’s mobile device is stolen or lost?

  • Multi-factor authentication is built to protect against remote attacks, which are the majority of fraudulent attacks. If a cellphone/tablet is lost or stolen, you should do exactly what they do today: call the carrier to report it and cancel service to the phone/tablet or do a remote lock or data wipe via another device. There is more information (contacts, email, other apps, etc.) on an end user's phone/tablet that should be protected than one particular banking app. Keep in mind, that even if a phone/tablet is stolen or lost, the thief still needs to get past the username and password, hence multi-factor authentication.

Do you mask the phone numbers in this feature?

  • Yes, the phone numbers are masked throughout all points of the authentication process.

Will I have to authenticate each device that I use?

  • Yes, you will have to individually authenticate each device that uses the banking app. This allows us to provide additional security at each access point that is used to engage with TheBANK.

Will I have to authenticate their devices every time they log in or only the first time?

  • You will only have to authenticate their devices the first time. Then, we will create a secure cookie that will be used to ensure that the same user on the same device makes each future login attempt. If a user erases the cookie from a device from within the app, the user will have to authenticate the device again.

Will I be able to be challenged by MFA every log in if they want to?

  • Yes, even though this is not the default behavior of the app, if you want, you can go into the “More” section and turn the ‘Remember device’ toggle OFF to be challenged with MFA when you log in again.