To ensure that merchant data remains protected, Loop offers multiple multi-factor authentication (MFA) methods that users can use to sign in.

Troubleshooting steps for each authentication method are listed below. For details on MFA and recommended best practices, see Multi-factor authentication best practices.

This MFA method sends users push notifications to their pre-registered mobile devices using the Auth0 Guardian app, from which a user can immediately allow or deny access to their account.

Will internet connectivity issues impact my ability to sign in? Push notifications require a stable internet connection. If a user's device has poor connectivity or is offline, they may not receive the notification in a timely manner, leading to delays in authentication. To help prevent this, Loop recommends that you set up an alternative secondary MFA method to ensure that you’re still able to sign in.

Can I use push notification authentication on any device? The push notification MFA method relies on users having compatible devices and the Auth0 Guardian app installed. Auth0 Guardian is compatible with most Android and iOS devices. For details, see Auth0’s documentation on Auth0 Guardian.

Why aren’t push notifications showing up on my device? If you have a stable internet connection and you have the Auth0 Guardian app installed on your device but you still can’t see push notifications, you may have notifications disabled for Auth0 Guardian or for your device in general. Follow the linked guides to ensure that push notifications are enabled for Auth0 Guardian on your Android or iOS device.

Time-based one-time password (TOTP) MFA requires users to enter a time-sensitive numeric password generated on their device to authenticate their account. TOTP tokens are generated in authenticator apps such as Authy or Google Authenticator, and do not require a mobile internet connection to generate once the app has been set up.

Which authenticator apps can I use to sign in to Loop? Any of the following authenticator apps can be used to authenticate your account:

• Authy (Google Play / App Store)

• Google Authenticator (Google Play / App Store)

• Auth0 Guardian (Google Play / App Store)

• Microsoft Authenticator (Google Play / App Store)

Why is my TOTP token not working even when my authenticator app says it’s still valid? You may have a time synchronization issue with your device. TOTP tokens are time-based, and any time drift between your device and the authentication server can lead to authentication failures. Loop recommends you restart your device, which forces the device to check in with the cellular network and resync the time and date.

If I lose my device, how can I sign in to my account without a TOTP token? If you lose access to your device or reset it without a backup, you may lose access to their TOTP secret key and therefore cannot generate valid tokens. To help prevent this, Loop recommends that you keep your MFA backup codes available or set up an alternative secondary MFA method to ensure that you’re still able to sign in. Otherwise, contact Loop Support to reset your MFA method.

SMS-based MFA allows users to verify their identities with a code that is sent to them by a text message or phone call.

Are there any security risks associated with SMS-based MFA? SMS-based authentication is vulnerable to SIM swapping attacks, where attackers can hijack a user's phone number to intercept SMS messages and bypass MFA security. Phishing and social engineering attacks where attackers trick users into providing the code are also common with SMS-based authentication. For these reasons, Loop recommends using the Auth0 Guardian app or TOTP authentication instead if possible.

Why haven’t I received my SMS authentication code yet? Delays in SMS delivery can disrupt the authentication process, especially in areas with poor network coverage or during network congestion. If the issue persists, try another phone number on a different carrier if possible.

Please reach out to support@loopreturns.com with any additional questions.