Two-factor authentication for the Faster Payment System’s user interface

We have improved the log in options for Alternative Security Method (ASM) users (i.e. users who log in with a contact ID and password, without needing a smart card and card reader) for the Faster Payment System’s user interface (FPS UI). If you are an ASM user, you now have the option to set up and use two-factor authentication when accessing the FPS UI.

What is two-factor authentication?

Two-factor authentication is one of the most effective ways to protect your online accounts from cyber criminals. This will better protect accounts from unauthorised access, phishing, and password theft.

To use this feature, you will need:

  • Something you know – your password
  • Something you have – a code from an authentication application (app) on your phone or device.

 

How to set up two-factor authentication to make your account more secure 

Before setting up two-factor authentication, you will need:

  • An authenticator app or tokenised authenticator
    • For most users, a mobile phone authenticator app, such as Google Authenticator or Microsoft Authenticator, is usually the easiest to set up and use two-factor authentication.
  • A modern browser
    • You will also need to have an up-to-date web browser, for example, Microsoft Edge, Google ChromeSafari or Mozilla Firefox. Microsoft Internet Explorer and Internet Explorer compatibility mode in Edge will not be compatible.

To enable two-factor authentication on your FPS UI account, you will need to enable two-factor authentication on the Payment Services Website (PSW).

How to enable two-factor authentication on the PSW: 

  1. Log in to your PSW account using your usual ASM username and password
  2. Go to My Profile in the top right hand corner
  3. In My Profile, click Enable Two-Factor Authentication
  4. Scan the QR code displayed on this screen with your authenticator
  5. Your authenticator will generate a six-digit code
  6. Enter the code in the box below the QR code on the PSW screen and click Verify
  7. Once verified, you will see a confirmation message: Two-Factor Authentication is now enabled.

 

How to log in to your FPS UI account once two-factor authentication has been enabled on the PSW:  

  1. Log in to your FPS UI using your username and password
  2. You will see a field for your one-time passcode
  3. Open your authenticator to find the six-digit code
  4. Enter that code in the box on the FPS UI screen and click Verify
  5. You are now securely logged into the FPS UI using two-factor authentication.

Please see our helpful video guide showing the registration process.

How to set up and use two-factor authentication

 

Alternative two-factor verification devices

 

Frequently Asked Questions (FAQs)

Two-factor authentication (2FA) and a Time-based One-Time Passcode (TOTPs) are security measures that enhance online account protection beyond the use of usernames and passwords.

2FA is being introduced to significantly enhance security and protect user accounts from unauthorised access. Passwords alone are no longer deemed sufficient.

To set-up 2FA, when you have logged into the Faster Payment System’s user interface (FPS UI), you can navigate to the ‘My Profile’ page and click ‘Enable two-factor authentication’ which will start the process. Ultimately, new users will be automatically guided to the 2FA set up screen to complete the initial set-up. 

These methods are commonly used in phishing scams and are deemed less secure than TOTP and are therefore unsuitable for access to the Payment Services Website.

The Primary Security Contact (PSC) will deal with queries and will provide reasonable support to help users obtain access to the Faster Payment System’s user interface (FPS UI). They may not be able to assist if the user is using a non-recommended authenticator or operating system, in which case, users will be directed towards their own technical teams or their sponsor for assistance.

2FA for the Faster Payment System’s user interface (FPS UI) will be the same as the authenticator option on the Bacs.co.uk website.

New and existing users will be given the option to set up and register for 2FA from May 2026. The mandatory deadline for registration will be December 2026.

New and existing users will be given the option to set up and register for 2FA from May 2026. The mandatory deadline for registration will be December 2026.

There are several software authenticators that can be used via your mobile phone to set up 2FA. We recommend the use of either the Microsoft or Google Authenticator app that can be downloaded from app stores for Apple devices or Google Android devices. If you are not able to use a mobile phone, please refer to the list of alternative hardware devices.

Note: This list is a sample list based on what Pay.UK will use during testing. This list is not exhaustive, other software/hardware is available. Each Sponsor should consider their own operational and security requirements when assessing options for their own staff and service users.

  • Software: 2Fast Authenticator, Bitwarden Authenticator (Desktop + Browser)
  • Hardware: Token2 Re-programmable fob, Token2 re-programmable card, Yubikey 5
  • Dedicated TOTP device: REINER SCT Authenticator

We recommend Microsoft or Google authenticator apps. Both can be downloaded from the Apple / Google Play app stores for Apple and Google Android devices.

To set-up 2FA, when you have logged into Payment Services Website, you can navigate to the ‘My Profile’ page and click ‘Enable two-factor authentication’ which will start the process.

You will be presented with a QR code or manual entry so complete the set up, if these fail, the system provides a support link for contacting the Bacs service desk for assistance via www.bacs.co.uk/contactus.

A Quick Response (QR) code authentication is a security method that verifies a user’s identity by scanning a unique QR code with a device, often a smartphone, instead of or in additional to traditional methods like usernames and passwords.

If the Time-based One Time Passcode (TOTP) is not accepted, re-scan the QR code and check your authenticator is set up correctly. The Time-based TOTP is only valid for 30 seconds, so if it has timed out, you can retry with a new code. If the TOTP code continues to fail, enter the ‘key’ shown below the QR code. Please note that the key is case sensitive.

If the user cannot continue with 2FA authentication, they can attempt to log in again and the QR code will be regenerated.

If the QR code fails to generate and is not visible, the user can attempt to log in again and the QR code will be regenerated. If the QR code still doesn’t work, please contact the Bacs help desk for advice via http://www.bacs.co.uk/contactus.

If the FPS UI user enters an incorrect TOTP multiple times, the account may become temporarily locked. After five failed attempts the account will be locked for 10 minutes. The account then unlocks automatically and will then allow the FPS UI user to proceed with a further five attempts.

Guidance will be given on common issues, such as time sync – wrong time zone, expired Time-based One Time Passcode (TOTP), authenticator app not working, etc. This guidance is available from the Primary Security Contact (PSC) or the sponsor bank’s service desk.

If access to the authentication app has been lost and no backup method is available (alternative QR scanning tool, desktop Time-based One Time Passcode generation, Public Key Infrastructure access via Smartcard or Hardware Security Modules), please contact the Primary Security Contact (PSC).

If the FPS UI user is not already 2FA enabled and is moving to a sponsor that has mandated 2FA, then the user will need to enable 2FA when they first log on. If the new sponsor has not mandated 2FA then the user can continue without 2FA. If the FPS UI user is already 2FA enabled, regardless of whether or not the new sponsor has mandated 2FA, then the user will continue to require 2FA to log in.

No, re-registration of the authenticator app will not be necessary. 2FA will be set up so that customers can serve themselves.

FPS UI users will not be able to retry entering a Time-based One Time Passcode until after the time out period (five attempts, lock out time 10 minutes).

This falls under the ‘re-register’ journey, so the user would need to:

  • Click on ‘re-register’
  • The user should receive the message to ‘Contact their Primary Security Contact (PSC)’
  • The PSC would then be able to update the individual’s status to: ‘re-register 2FA”
  • Then the user would be able to see the QR code and start the registration journey again. 

No, password reset and TOTP reregistration are independent processes. There is no requirement from Pay.UK to reset TOTP when the password is reset and vice versa.

If the FPS UI user’s PSC is not available, they should contact their own service desk or sponsor bank’s service desk.