Case Study
Multi-Factor Authentication
How Bank SecurePoint manages identity verification, multi-factor authentication, and token lifecycle for enterprise treasury users.
Overview
How Bank SecurePoint manages identity verification, multi-factor authentication, and token lifecycle for enterprise treasury users.
150
User base
Enterprise users across admin, sub-admin, and user tiers
3
Auth methods
Mobile token, hard token, and biometric login paths
7
Token actions
Register, switch, temp passcode, reset, remove, order, reassign
Payment authorization
Every outbound payment in Bank requires a second-factor challenge before it is released. Users with an Initiator role create and submit payments; users with an Activator role provide the second signature using their enrolled token. Dual-control is enforced at the platform level.
Step 1
Log in
Username + password
Step 2
MFA challenge
Token OTP or biometric
Step 3
Initiate payment
Initiator role required
Step 4
Dual control
Separate Activator signs off
Step 5
Release
Bank processes payment
Dual-control enforcement
No single user can both create and approve a payment, reducing fraud and internal error risk.
Role-based MFA
Initiators and Activators both hold independent token credentials, compromise of one does not unlock the full payment cycle.
Temporary passcode as fallback
Admins can issue a time-limited OTP (up to 2 uses, max 8 hours) when a user's mobile token is malfunctioning, keeping payments moving.
Biometric authentication
simplifies secure access through mobile biometrics, device migration, and intelligent fallback mechanisms while maintaining strong security and MFA compliance.

Flow 1:
Mobile Token
Three-party interaction: user enters credentials and OTP, platform validates and issues MFA challenge, token service handles TOTP generation and verification independently.
Fastest path:
No provisioning step needed. User can authenticate immediately with mobile app.


Flow 2:
Biometric Authentication
Introduces decision diamond with fallback path. When recognition fails, user drops to OTP rather than being locked out. Secure enclave ensures only cryptographic assertion leaves device, never raw biometric.
Secure & Graceful:
Biometric data never leaves device. Fallback to OTP ensures users aren't locked out.
Flow 3:
Hard Token
Split into two phases: provisioning (admin-initiated order flow with pre-filled address form, fulfillment routing, and physical device shipping up to 48 hours) and authentication (mirrors mobile token but user reads 6-digit OTP off physical device display).
Enterprise Grade:
Four parties involved with distinct provisioning phase. Admin action prerequisite for user login.

Key Differences
Comparison across the three authentication swimlanes
Mobile Token
-
Parties: 3 (User, Platform, Token Service)
-
Speed: Fastest path
-
Setup: No provisioning needed
-
Method: TOTP via mobile app
Biometric
-
Parties: 3 (Device, Platform, Secure Enclave)
-
Security: Biometric never leaves device
-
Fallback: OTP on recognition failure
-
Method: Face or fingerprint
Hard Token
-
Parties: 4 (Admin, User, Platform, Fulfillment)
-
Setup: Provisioning phase required
-
Delivery: Up to 48 hours shipping
-
Method: 6-digit OTP on device
Key Differences
Comparison across the three authentication swimlanes

Mobile Token
-
Parties: 3 (User, Platform, Token Service)
-
Speed: Fastest path
-
Setup: No provisioning needed
-
Method: TOTP via mobile app

Biometric
-
Parties: 3 (Device, Platform, Secure Enclave)
-
Security: Biometric never leaves device
-
Fallback: OTP on recognition failure
-
Method: Face or fingerprint

Hard Token
-
Parties: 4 (Admin, User, Platform, Fulfillment)
-
Setup: Provisioning phase required
-
Delivery: Up to 48 hours shipping
-
Method: 6-digit OTP on device