In addition to entering a password, most end users are required to enter an SAC from the FI the first time they access online banking. End users receive the SAC through a delivery method of their choosing: voice, text, or email.
Note
End users who are more susceptible to fraud and transact large amounts of money may use VIP token codes to log in, instead of SACs.
End users may also be required to enter a SAC for the following reasons:
-
The end user is logging in using a new browser or device.
-
The mobile banking app was deleted and then reinstalled.
-
The browser is not configured to save HTTP cookies, which contain registration details.
-
The user cleared existing browser cookies.
-
The FI reset browser registration for all end users due to security reasons.
You cannot generate a new SAC for an end user in Q2 Co-Pilot. Instead, the end user must request a new SAC during the login process by completing the following steps.
-
On the Login page of online banking, select Forgot Your Password?.
-
Enter a Login ID and select Submit.
-
Select an SAC delivery target.
-
Enter the SAC that was received, and select Submit.
-
Follow the instructions to reset the password and log in to online banking.
Although you cannot send a new SAC to an end user, you can use the data displayed in Q2 Co-Pilot to troubleshoot possible SAC delivery problems. For example, you can tell a caller the date and time when the last SAC was sent, as well as the target (for example, an email address) to which the SAC was sent.
Here are some additional points about SACs:
-
If a user questions the purpose of SACs, explain that SACs are a security measure designed to protect an end user’s login information.
-
SACs may have expiration dates that vary according to the FI.
-
SAC delivery may take several minutes, depending on network traffic. It does not help to request multiple codes, because each new SAC invalidates the previous SAC.
-
Search for the record for the user.
-
Validate the user’s identity according to FI policy.
-
In the Secure Access Codes (SACs) section of the Login pane, locate the SAC with an Active status.
If all SACs are expired, ask the user to access the Login page for online banking again and request a new SAC, as described earlier in this section.
Note
Although you cannot give users access to their accounts without a SAC, you may be able to tell a user what the current SAC is if permitted by the FI. Q2 does not recommend this practice, as it subverts the out-of-band security benefits of the SAC feature.
-
After the end user requests a new SAC, verify that the SAC was delivered and that the end user can log in successfully.
-
If you have time and a willing end user, take a moment to troubleshoot the previous code retrieval attempts.
-
Ask the end user to verify the email and phone numbers used to deliver previous SACs.
-
Ask if the end user tried to use the SACs within a short time after receiving them.
-
If the SAC was delivered to an email target, it is possible that the message was placed in the spam or junk email folder.
-