Introduction to Two-Factor Authentication

In this type of payment, payment confirmation via token sent to the person with approval powers for transactions on the payer's account is required. The payment request by integrator partners configured to use two-factor authentication is performed similarly to what is described in boleto payment and collection invoice payment. The difference is the addition of the tfa_info object in the request, containing information about the transfer approver and the means of contact, and the status of the request in the response. The status of the request will always be returned as pending_2fa_approval.

Flow for a Payment with Authorization

The successful payment will follow the following process flow:

• Perform the boleto payment request or collection invoice payment request and receive a synchronous response with status pending_2fa_approval and the payment_key.
• The indicated approver will receive a 6-digit token consisting of letters and digits.
• The requester performs the boleto payment confirmation or collection invoice payment confirmation with the payment_key and the token.
• The payment will be completed synchronously.

Observations

• Each payment has a maximum limit of 5 validation attempts for the token. When this limit is reached, the payment will be automatically set to rejected (rejected) status.
• Each token has a maximum duration of 5 minutes.
• A payment can have its token renewed and resent to the account approver. This process resets the 5-minute time but does not reset the invalid attempt counter. The previous token becomes invalid.
• Once the payment is approved, it will be completed synchronously.
• The notification event for sending the token to the approver is baas.token_validation.bill_payment.payment.single. It is possible to customize the sent message.
• The implemented contact_type for sending tokens are sms and email.