Multi-Factor Authentication Guide
Overview
Multi-Factor Authentication (MFA) is mandatory for all Global Bank employees, contractors, and third-party users. MFA adds an additional layer of security beyond your password by requiring a second form of verification when you sign in to corporate systems. This significantly reduces the risk of unauthorised access, even if your password is compromised.
Policy Reference: IT-NET-004
Effective Date: 1 March 2024
Applies To: All users with access to Global Bank systems
Supported Authentication Methods
| Method | Description | Recommended For |
|---|---|---|
| Push Notification | Approve a prompt on the GlobalAuth mobile app | All users (primary method) |
| One-Time Passcode (TOTP) | Enter a 6-digit code from the GlobalAuth app | Users in areas with limited data connectivity |
| Hardware Token | Enter a code from a physical RSA SecurID token | Users without corporate mobile devices |
| FIDO2 Security Key | Tap a physical USB/NFC security key | Privileged account holders (mandatory) |
Enrolling in MFA
Step 1: Install the GlobalAuth App
- On your mobile device, open the App Store (iOS) or Google Play Store (Android).
- Search for GlobalAuth Authenticator and install the application.
- Open the app and select Add Account.
Step 2: Link Your Account
- On your computer, navigate to mfa.globalbank.com.
- Sign in with your corporate credentials.
- Select Set Up MFA and choose your preferred authentication method.
- If using the mobile app, scan the QR code displayed on screen with the GlobalAuth app.
- Enter the verification code generated by the app to confirm the link.
Step 3: Register a Backup Method
You must register at least one backup authentication method. This ensures you can still access your account if your primary method is unavailable.
- Navigate to My Security Settings > Backup Methods on the MFA portal.
- Choose a backup method (e.g., hardware token, backup phone number for SMS codes).
- Follow the on-screen instructions to complete registration.
Using MFA
Once enrolled, you will be prompted for a second factor when:
- Signing in to your workstation for the first time each day
- Accessing corporate email or Microsoft 365 from a new device or location
- Connecting to the VPN
- Accessing Tier 1 or Tier 0 systems (every session)
- Performing privileged operations in the Active Directory or core banking platforms
Approving a Push Notification
- When prompted, check your mobile device for the GlobalAuth notification.
- Verify the details displayed (application name, location, time) match your sign-in attempt.
- Tap Approve if the details are correct. Tap Deny if you did not initiate the request, and immediately report it to IT Security.
Lost or Replaced Device
If you lose your mobile device or replace it, you must re-enrol in MFA as soon as possible:
- Use your backup authentication method to sign in to the MFA portal.
- Remove the old device from your account under My Devices.
- Follow the standard enrolment procedure to register your new device.
- If you cannot access any authentication method, contact the IT Service Desk for a temporary bypass code. Bypass codes are valid for 24 hours and single use only.
Privileged Accounts
Users with privileged access (Domain Admins, Database Administrators, Core Banking Admins) are required to use a FIDO2 security key as their primary MFA method. Push notifications and TOTP are permitted as backup methods only. FIDO2 keys are issued by IT Security and must be collected in person with valid photo identification.
Frequently Asked Questions
What if I do not have a smartphone?
You may request a hardware RSA SecurID token from the IT Service Desk. Tokens are issued within three business days of an approved request.
Can I use a personal authenticator app?
No. Only the GlobalAuth Authenticator app is approved for use with Global Bank systems.
Support
- IT Security Team: itsecurity@globalbank.com | Ext. 2200
- IT Service Desk: servicedesk@globalbank.com | Ext. 2000