top of page

Case Study

Multi-Factor Authentication 

How Bank SecurePoint manages identity verification, multi-factor authentication, and token lifecycle for enterprise treasury users.

Overview

How Bank SecurePoint manages identity verification, multi-factor authentication, and token lifecycle for enterprise treasury users.

150

User base
Enterprise users across admin, sub-admin, and user tiers

3

Auth methods

Mobile token, hard token, and biometric login paths

7

Token actions

Register, switch, temp passcode, reset, remove, order, reassign

Payment authorization

Every outbound payment in Bank requires a second-factor challenge before it is released. Users with an Initiator role create and submit payments; users with an Activator role provide the second signature using their enrolled token. Dual-control is enforced at the platform level.

Step 1
Log in
Username + password
Step 2
MFA challenge
Token OTP or biometric
Step 3
Initiate payment
Initiator role required
Step 4
Dual control
Separate Activator signs off
Step 5
Release
Bank processes payment

Dual-control enforcement

No single user can both create and approve a payment, reducing fraud and internal error risk.

Role-based MFA

Initiators and Activators both hold independent token credentials,  compromise of one does not unlock the full payment cycle.

Temporary passcode as fallback

Admins can issue a time-limited OTP (up to 2 uses, max 8 hours) when a user's mobile token is malfunctioning, keeping payments moving.

Biometric authentication

simplifies secure access through mobile biometrics, device migration, and intelligent fallback mechanisms while maintaining strong security and MFA compliance.

Biometric auth.png
Flow 1:

Mobile Token

Three-party interaction: user enters credentials and OTP, platform validates and issues MFA challenge, token service handles TOTP generation and verification independently.

Fastest path:

No provisioning step needed. User can authenticate immediately with mobile app.

first.png
second_edited.jpg
Flow 2:

Biometric Authentication

Introduces decision diamond with fallback path. When recognition fails, user drops to OTP rather than being locked out. Secure enclave ensures only cryptographic assertion leaves device, never raw biometric.

Secure & Graceful:

Biometric data never leaves device. Fallback to OTP ensures users aren't locked out.

Flow 3:

Hard Token

Split into two phases: provisioning (admin-initiated order flow with pre-filled address form, fulfillment routing, and physical device shipping up to 48 hours) and authentication (mirrors mobile token but user reads 6-digit OTP off physical device display).

Enterprise Grade:

Four parties involved with distinct provisioning phase. Admin action prerequisite for user login.

third_edited.jpg

Key Differences

Comparison across the three authentication swimlanes

Mobile Token

  • Parties: 3 (User, Platform, Token Service)

  • Speed: Fastest path

  • Setup: No provisioning needed

  • Method: TOTP via mobile app

Biometric

  • Parties: 3 (Device, Platform, Secure Enclave)

  • Security: Biometric never leaves device

  • Fallback: OTP on recognition failure

  • Method: Face or fingerprint

Hard Token

  • Parties: 4 (Admin, User, Platform, Fulfillment)

  • Setup: Provisioning phase required

  • Delivery: Up to 48 hours shipping

  • Method: 6-digit OTP on device

Key Differences

Comparison across the three authentication swimlanes

Manage users - default.png

Mobile Token

  • Parties: 3 (User, Platform, Token Service)

  • Speed: Fastest path

  • Setup: No provisioning needed

  • Method: TOTP via mobile app

Manage users - default-1.png

Biometric

  • Parties: 3 (Device, Platform, Secure Enclave)

  • Security: Biometric never leaves device

  • Fallback: OTP on recognition failure

  • Method: Face or fingerprint

Manage users - Hard token.png

Hard Token

  • Parties: 4 (Admin, User, Platform, Fulfillment)

  • Setup: Provisioning phase required

  • Delivery: Up to 48 hours shipping

  • Method: 6-digit OTP on device

bottom of page