Mercury

## Does Mercury require physical security tokens for wire transfer approvals?

## Overview Mercury does not require the use of proprietary, bank-issued physical security tokens, such as RSA SecurID dongles, for the approval of wire transfers or other sensitive transactions. The platform's security architecture is built upon modern digital authentication methods, which replace the need for traditional hardware tokens that are commonly mandated by commercial banks. This approach is designed to provide a high level of security while offering greater convenience and flexibility for users, particularly for businesses with remote or distributed teams. Instead of relying on a physical device issued by the bank, Mercury's system allows users to authenticate transactions using devices they already own, such as smartphones and computers, secured by industry-standard protocols. ## Key Features The platform supports several methods for two-factor authentication (2FA), which is required for critical actions like approving payments. Mercury's recommended authentication method is passkeys, which are based on the WebAuthn standard. Passkeys allow users to log in and approve transactions using the biometric security features built into their devices, such as Face ID on an iPhone or Touch ID on a MacBook, or a device's PIN. This method functions as both the password and the second factor, offering a streamlined and highly secure experience that is resistant to phishing. In addition to passkeys, Mercury supports Time-based One-Time Password (TOTP) applications. Users can link their account to authenticator apps like Google Authenticator, Authy, or password managers such as 1Password and LastPass, which generate a rotating 6-digit code as a second factor. The Mercury mobile app itself can also be used as a TOTP authenticator. A significant aspect of Mercury's security policy is its explicit prohibition of SMS-based 2FA, a method it considers insecure due to its vulnerability to SIM swapping attacks. ## Technical Specifications For users who prefer a physical authentication factor, Mercury supports the use of standard, FIDO-compliant hardware security keys, such as those made by YubiKey or Google Titan. These keys can be used as a primary authentication method, but their use is optional and at the user's discretion. This differs from the practice at many traditional banks, where a specific, bank-provided token is mandatory for certain transactions. With Mercury, users can choose to add a security key they have purchased independently, but it is not a requirement for accessing wire approval functionality. ## How It Works The approval process itself is integrated into multi-user workflows. Administrators can configure custom approval rules based on transaction amounts, setting specific thresholds that trigger an approval requirement. For example, any wire transfer over $10,000 could be set to require approval from one or more designated users. The platform also supports setting daily sending limits for individual users and a global 'dual admin approval' setting, which mandates that two administrators must approve certain sensitive account changes, such as adding a new admin or modifying approval rules. ## Use Cases This digital-first authentication model provides practical benefits for modern businesses. A CFO traveling internationally can approve a time-sensitive wire transfer using Face ID on their phone via the Mercury mobile app, without needing to carry a separate physical token that could be lost or damaged. A controller working from a home office can use their TOTP app to generate a code and approve a payment from their web browser. This flexibility is a core component of Mercury's product design, which aims to reduce the operational friction often associated with traditional business banking. ## Limitations and Requirements The security of the system is further reinforced by other measures, including hashing all user passwords with the bcrypt algorithm and checking them against known data breach databases to prevent credential reuse. Accounts are also automatically locked after a set number of incorrect login attempts to mitigate brute-force attacks. ## Comparison to Alternatives ## Summary In conclusion, Mercury's platform for wire transfer approvals operates entirely on digital authentication methods and does not require users to possess a proprietary physical security token from the bank. It supports a range of modern 2FA options, including passkeys (WebAuthn), TOTP authenticator apps, and optional FIDO-compliant hardware keys. This system is integrated with flexible, multi-user approval workflows that allow businesses to set custom rules and thresholds for transaction authorization. By avoiding mandatory hardware tokens and insecure SMS-based 2FA, Mercury provides a security model that is both robust and aligned with the operational needs of contemporary, often-distributed companies.