It’s no secret we live in a mobile society where convenience-driven consumers expect instant access to everything, even their finances. And while national banks have standardized on mobile customer experience, community financial institutions largely have yet to catch up.
That’s where Banno comes in. Banno enables online and mobile banking for hundreds of credit unions and banks to deploy the kind of digital banking services that we’ve all come to expect. Bringing a personalized experience to mobile banking in an age of data breaches and account takeovers requires modern account security practices, such as two-factor authorization (2FA).
Since being acquired in 2014, Banno has steadily worked with parent company Jack Henry’s legal, risk management, and auditing departments—as well as its customers—to implement 2FA as a critical account security method.
“Just having a username and password wasn't going to cut it,” says Banno Senior Manager of Product and Design Josh Sadler. “Two-factor authentication is a requirement of all of our customers when you sign-in to our app for the first time or enroll in online banking.”
Banno took the initiative to implement the Twilio Authy API and integrated SMS, Voice, and application-based 2FA for all of their customers, replacing less-secure security questions. With Authy, Banno provides community banks a more streamlined customer experience that defies “business as usual.”
As Sadler explains: “It allowed us to decrease the number of total things that we're asking for in the enrollment process, because we can identify a user on our side and then trust they are who they say they are.” Sadler found financial institutions were actually surprised to discover Banno’s enrollment was completely secure based on how little information users needed to input.
Banno can enable its customers to authenticate users in multiple ways for tighter account security. For example, when a large sum is transferred out of an account, a user is prompted with two-factor challenge/response questions, and from there can be asked for their password again—but by then Banno also has the configuration to ask them for a 2FA code.
To ensure customers are protected from data breaches, account takeovers, and similar risks, Banno has hardened their API and continuously evolves their security, implementing DDoS protection, TLS, HTTPS, and certification standards. Banno also conforms to general RESTful API standards.
Says Sadler: “If they haven't enrolled in Authy, we have a couple of different levers through which we can validate the information that we then pass over to Authy. We can validate on the core system to make sure this is actually the phone number on file at that financial institution.”
Authy allows Banno to remain invisible, so customers can maintain their own branding for their user experience and enroll customers on financial institutions’ behalf to provide a better end-user experience. “We have hundreds of applications–one for each bank–and we can white label the Authy app on the phone with the correct bank's icon, images, and color scheme,” Sadler explains.
Banno also helps its customers maintain quality assurance with a rate limit for phone verification SMS messages and voice calls sent from the Authy and Verify APIs. “Twilio’s added security measure of rate limiting is super important to limit our risk exposure,” explains Todd Munnik, Banno engineering manager.
Using Authy’s management console, Banno’s operations department can monitor the backend security activity of its financial institutions, as well as troubleshoot when problems arise for its customers’ users. “We've had very few tickets that we've had to post to Twilio, and the uptime is great,” says Munnik.
The flexibility of Authy also allows Banno to customize its security capabilities. “We're making some architectural changes on our side for our iOS app to store less on the device and sign users out every once in awhile, instead of keeping a session running, just for added protection,” Sadler says.
Banno is continuously assessing how it can improve account security for its customers, and sees Authy as a central part of achieving their goal. “SMS through Authy is going to continue to be the number one user preference on how to set up 2FA just because it's so easy,” says Sadler.
As for the future of authentication, Sadler believes Banno will continue to make a push to encourage more authenticator app usage, such as letting a CFO manage their finances, as well as adding features like hard tokens.
If we were building this ourselves, it would have been a lot harder to do, so I think at Banno we are all really thankful that Authy exists.