Thanks to COVID-19, consumers today do increasingly more of their purchases and routine banking transactions online. Not surprisingly, the use of multi-factor authentication (MFA) is now standard too.

That’s good. Any form of MFA is way better than a simple username/password combination. It’s especially true with access to financial accounts. MFA makes the accounts more secure and harder to hack.


MFA protects accounts with two authorization methods, or factors. A factor is usually:

  • Something you know, such as a password or security question.
  • Something you have, such as your smartphone or another physical device.
  • Something unique about you, such as your fingerprint or your iris.

MFA comes in several flavors today



Security questions or shared secrets

  • The user chooses the security Q&A pairs.
  • Shared by both the user and the trusted third party.
  • Security questions are easy to use.

Easy to hack as personal information is found on the Internet and social media.

  • 6 billion records stolen in last five years
  • 7 million identity theft victims
  • 74% of passwords are duplicates

One-time passwords (OTP) / Out of Band

  • After a username and password is entered, a OTP in the form of a PIN number is sent to the user’s phone (SMS or voice) or email making the UN and PW more secure.
  • An authenticator app can also generate a temporary unique password or PIN number.
  • Vulnerable to man-in-the-middle, malware and SIM swapping attacks.
  • Requires possession of OTP generation hardware/software.
  • Poor user experience
    • Must switch constantly between apps to authenticate.
  • Access is lost with every change to the user’s smartphone.
  • NIST (National Institute of Standards & Technology) disapproves the use of out of band for OTP.

Universal 2nd Factor (U2F) keys / Tokens

  • Open standard used with USB devices, NFC devices, and smart cards.
  • Simply plug in a USB key, bump an NFC device, or swipe a smart card.
  • A U2F key is one of the most secure MFA methods available.
  • Inconvenient due to differing USB ports on devices.
  • Software tokens are inherently vulnerable to malware and key logger attacks.
  • Very expensive to implement
  • Tokens can be lost or stolen.

Biometrics (face, voice, or fingerprint)

  • Organizations that need to be certain you are who you say you are often use biometric authentication. These are typically military or government installations.
  • Biometrics are almost impossible to hack
  • Rarely used in business settings because most people are reluctant to share physical characteristics.
  • Data acquisition and data storage processes are also obstacles to this technique.

MemberPass technology, the better way to authenticate

The way people authenticate themselves is rapidly changing and evolving. In contrast to MFA, MemberPass uses a cloud agent and a credential exchange network. Your phone interacts with this system in real time and uses the credential exchange network to complete the identity verification.

MemberPass is stored securely on your phone. It’s a fully signed identity credential you own and control.

It turns out Microsoft makes a similar recommendation in this news from November 12. In this article, Microsoft urges users to abandon telephone-based MFA solutions, like one-time codes sent via SMS and voice calls. These are the least secure of the MFA methods available today. SMS and voice protocols were not designed with encryption, are easy to attack using social engineering, rely on mobile carriers and are subject to shifting regulation.

MemberPass is different. It’s more than simple authentication – it’s identity verification. It’s a step toward building actual digital trust between you and your members. It’s the ability to recognize with certainty who someone is. It lets you participate in a global credential network able to validate identity in real time.

Let’s take a quick look under the hood

To get a little technical, MemberPass employs a cloud agent and credential exchange. The member’s phone interacts with in real time to complete the identity verification using a credential exchange network. MemberPass is a credential, not just a static authentication token that is stored on the member’s phone.

MemberPass function requires a secure phone and a fully signed identity credential that the member owns and controls from a trusted source (your credit union.) The credit union is a second measure of identity and a check from the cloud agent/credential exchange network completes the authentication using secure decentralized identifiers.

MemberPass is completely different from the DUO types of security tokens and schemes many credit union service providers use today. It’s a bad idea to store an OAuth token on a member’s smart phone as a static authentication key. It’s easy to hack.

MemberPass, the consistent omni-channel experience!

Avoid all the downside risks of MFA. MemberPass delivers member security, extreme hack resistance and a superior member experience across all access channels. Plus, you’ll earn greater digital trust with your members.

To learn more about MemberPass, email us to request a demo or FAQ list, register to attend a webinar, or visit us at

CULedger, a credit union service organization, offers MemberPass, the simplest, most secure and convenient method to verify member identity. We leverage touchless, privacy-enhancing technology to protect against identity theft and fraud. MemberPass will revolutionize how you say “hello” to members. Visit or email