Our Out-of-Band solution is designed to reduce the risk of fraud by better confirming your identity when accessing Summit Online, using a user ID plus two additional components or factors. The solution allows you to authenticate through the use of a one-time security code. The interaction occurs outside the online channel, through either an automated voice call or a text message.
You log in to Summit Online normally, entering a valid user ID.
When you enter a valid user ID, the Device Profiling process determines if the device profile is typical for past successful logins with the device. If it is typical, the Password page appears. If it is not typical, then additional authentication will be required before you can proceed.
Note: The Password page will no longer include a picture and phrase, and preselected challenge questions are no longer used. These functions are replaced with the Out-of-Band Authentication, described below.
After you enter your user ID, your device and network path are also authenticated in order to detect indicators of fraudulent activity. Over 100 attributes are gathered and reviewed when authenticating your device. This evaluation occurs each time you log in to Summit Online, and it is transparent to you.
There are two possible outcomes when authenticating your device:
Note: You will no longer be asked to register your device. This function is replaced with Device Profiling, which is performed with every login.
When step-up authentication is needed, Summit State Bank provides an Out-of-Band Authentication solution that uses a phone call or text message to confirm your identity.
To begin using Out-of-Band Authentication, you will click Continue with Security Code on the Step-Up Authentication page.
The Tell Us Where to Reach You dialog prompts you to select a phone number to use for Out-of-Band Authentication.
Note: For security reasons, all but the last five digits of your phone numbers are masked.
You cannot successfully complete the Out-of-Band Authentication process without at least one valid phone number recorded in Summit Online. If you do not have a valid phone number on record, then you must contact Summit State Bank before you will be able to log in. Click on the My Phone Number is Not Listed link for Summit State Bank contact information.
If you select a phone number on the Tell Us Where to Reach You dialog and then click Continue, the Enter the Security Code dialog is displayed. You will receive a phone call at the selected phone number.
When the phone call is received, you are asked to speak or enter the displayed one-time security code. You have three attempts to correctly enter or speak the security code.
After completing the phone call, you must click Phone Call Completed.
If you spoke or entered the correct security code, Out-of-Band Authentication is successful, and you will be allowed to proceed to the Password page (or the Password Reset page if you are updating your password).
If you click the I Didn't Receive a Phone Call link, further instructions are displayed on how to contact Summit State Bank.
If you selected the text message option on the Tell Us Where to Reach You, the Enter Your Mobile Phone Number dialog is displayed. You are prompted to enter a mobile phone number where the text message can be sent.
Note: Based on your carrier contract, you may be charged standard text message rates.
After you enter your mobile phone number and click Send Text Message, the phone number is validated with numbers on record for you at Summit State Bank.
If the mobile phone number matches a number on record, a text message containing a one-time security code is sent to your phone, and the Enter the Security Code dialog is displayed.
On the Enter the Security Code dialog, you are asked to enter the one-time security code that was sent in the text message.
When you enter the code and click Submit, Summit Online verifies that the entered security code matches the security code sent by text message. You have three attempts to enter the security code correctly.
After the correct security code is successfully entered, Out-of-Band Authentication is successful, and you are allowed to proceed to the Password page (or the Reset Password page if you are updating your password).
If you click the I Didn't Receive a Text Message link, further instructions are displayed on the Text Message Not Received dialog.
Why did I have to go through the additional authentication process?
The most common reason would be that a new Device Profile has been identified or there has not been enough consistent use of the Device to confirm the correlation.
Because the Device Profiling looks at many factors together, as well as a system cookie and a Flash Object from a prior session, there are some instances where changes to a combination of factors would trigger a risk score that requires additional authentication. Examples include:
Please follow the instructions to provide additional authentication so the system can learn that this profile is safe and you can access the system from this profile in the future.
If I log in from a Public PC and the Device fingerprint is recorded or "registered," doesn't this put me at risk?
When you log in to Summit Online from a PC where you do not have control over the Security Controls, such as firewalls and virus protection, you are at risk. Public PCs can have malware that records any information you enter. For this reason we strongly recommend you do not use Public PCs for Summit Online.
Why am I not asked to Register my Device? Or why are Devices Profiles always recorded?
Rather than registering your PC, we are reviewing each unique login for any security risk. This approach works behind the scenes to protect each Summit Online session. This provides increased security for every login.
Why am I getting stepped up all the time when accessing the system from an international location?
For security purposes, users logging to Summit Online from international locations (except USA and Canada) will always be stepped-up to Out-of-Band Authentication.
If you continue to get stepped up over and over, we have found that sometimes browsers don't encrypt the Device ID correctly and, therefore, cannot be recognized as a previously used Device. Here are some hints we have found helpful in resolving issues that prevent devices from properly registering and result in stepped up authentication on every login: