Out-of-Band Authentication uses the phone channel to obtain a one-time passcode to confirm authentication. The solution offers both SMS Text and Voice Interaction. In our experience the majority of the customers choose Voice Interaction. To start the process, the user is presented with a list of the phone numbers on record in business online banking. There are up to six telephone numbers are supported and can include domestic, international, direct dial extensions, and non-direct dial extensions.
The customer can choose any number listed to receive the voice interaction. Voice interaction works well on Mobile Devices as well as Land Lines. There are no restrictions in the Voice Phone network that would prevent a call from going to any device.
When the customer selects to get an SMS Text, they enter in the phone number where they want the SMS message to go as a way to give us permission to send the SMS Text (Mobile Carrier Requirement). We will verify the number matches one of the numbers already listed for the customer. If it does not, we will send the SMS Text to the number the customer entered.
Q: If the customers are traveling for an extended period of time as well. Say for example someone is traveling in Europe while on vacation and they have their laptop with them. If they normally log in from that device but now log in with that device while in Europe, will the step-up be needed?
A: It is likely the user will go through step-up. However, there are no restrictions in making Out-of-Band Authentication calls internationally. If the user has already defined their cell phone in Business Online Banking and it is enabled for international service, it will work fine.
Q. If the customer does not pass OOBA, or the second authentication step, what happens? Is the account locked/frozen? What steps does the customer have to follow to get it unlocked? Or does it auto unlock after a set time?
A: The User ID is not locked or frozen if the customer does not complete Out-of-Band Authentication. The customer is open to try again.
Q: How does OOBA handle customers with foreign phone numbers?
A: In Business Online Banking, the Non-North American Numbers can be entered and supported for OOBA.
Q: It is our understanding that out of band is not optional for basic service clients who do not use tokens - is that correct?
A: Out-of-Band Authentication is part of the Advanced Login Authentication Solution. This will be implemented at Login for all clients not on Tokens. Out-of-Band at Approvals is optional and can be implemented with or without Tokens.
Q: Do we have the option of sending customer the One-Time-Passcode in Email?
A: Email is not used in OOBA. Because Email is received on the PC and accessed through the browser on the PC it is not another channel and can be compromised by malware.
Q: What if the customer selects SMS Text and does not receive the Text Message with the One-Time-Passcode?
A: Since the SMS message carrier network is not as well developed as the voice phone network. There may be gaps in service caused by smaller carriers that do not participate in the full network. And there can be delays in message delivery across any area of the network. If the customer selects SMS text and the message is not received, the customer is directed to try the Voice Phone Call or use another number.
Soft Token Authentication and Soft Token Approval services are configurable at a company and company user level, allowing financial institutions to offer both hardware and software tokens. The Soft Token Authentication and Soft Token Approval services are essentially modifiers of the existing Token Authentication and Token Approval (hardware token) services. In other words, to enable a software token service for a company, the comparable hardware token service must also be enabled.
Token Authentication and Token Approval are company-level services that, when enabled, each user in that company must use a hardware token to sign on and/or approve transactions. Soft Token Authentication and Soft Token Approval are enabled at the user level which means when either or both services are enabled for a company, that company's administrator can choose which users must use a software token to sign on and/or approve transactions. This allows a company to offer both hardware and software tokens to their users.
While a company can have hardware and software token services enabled, a user cannot use both types of tokens concurrently. A user is required to use a software token when the software token user entitlement is enabled.
The RSA SecurID Software Token app is available to company users for download in the Apple App Store and Google Play Store. Once downloaded, the RSA SecurID Software Token app requires activation by company users.
The RSA SecurID Software Token app is supported on the following mobile platforms (operating systems):
• Android OS version 4.1 and newer
• iOS (Apple) version 8 and newer
An internet connection is required to download the RSA SecurID Software Token app and a camera is required for the activation process. Once downloaded, ensure that the app is enabled to access the camera under the Settings options for your device.
When a user accesses Business Online Banking after having a software token service enabled, they are required to authenticate their identity using their current assigned authentication method (password/hardware token). This step helps to prevent fraud and is only required for activation. Once a user authenticates their identity with their current assigned authentication method, they can begin the software token activation process, which is as follows:
Users are required to complete the activation process for each device they want to use for software tokens. Activation is also required when a user replaces their device or resets/restores it to the factory settings.
Once the company user's credentials are validated on the Sign On page, the Set Up Software Token Sign On page appears where the user must select their device’s mobile operating system.
Your privacy is very important to us. We would like to advise you that Internet email is not secure. Please do not submit any information that you consider confidential. We recommend you do not include your social security or account number or other specific identifying information.
You are leaving First Commercial Bank USA's website and linking to a third party site. Please be advised that you will then link to a website hosted by another party, where you will no longer be subject to, or under the protection of, the privacy and security policies of First Commercial Bank USA. We recommend that you review and evaluate the privacy and security policies of the site that you are entering. First Commercial Bank USA assumes no liability for the content, information, security, policies or transactions provided by these other sites.