Security & Account Settings
Protect your Danipa Pay account with PIN, biometrics, and step-up multi-factor authentication using passkeys, TOTP, or SMS.
6 min read
Overview
Danipa Pay uses layered security:
- Account login — handled by Danipa's identity provider (email/phone + password).
- Transaction PIN — a 4-digit code that authorizes individual payments.
- Biometric login — Face ID or fingerprint for quick re-authentication.
- Step-up multi-factor authentication (MFA) — required for sensitive actions; choose from passkey, TOTP, or SMS code.
This guide covers each layer and how to manage it from Profile → Security in the mobile app.
Transaction PIN
Your transaction PIN is a 4-digit code separate from your login password. It authorizes payments and other money-movement actions inside the app.
Setting Your PIN
You'll be prompted to create a PIN during your first transaction. To set or change it proactively:
- Go to Profile → Security → Transaction PIN.
- Enter a 4-digit PIN.
- Confirm by entering it again.
Tips for a strong PIN:
- Don't use your birth year, phone number, or simple sequences (
1234,0000).- Pick something memorable but not obvious to others.
- Never share your PIN with anyone — Danipa staff will never ask for it.
Forgot Your PIN?
Reset it via step-up MFA — Danipa will challenge you with one of your enrolled methods (passkey, TOTP, or SMS) before letting you set a new PIN. You may not be allowed to transact for a short cooldown period after a PIN reset, as a fraud-protection measure.
Biometric Login
Use Face ID or fingerprint for fast, secure access.
- Go to Profile → Security → Biometric Login.
- Toggle Enable Biometric Login.
- Authenticate using your device biometrics to confirm.
Biometric login replaces password entry on subsequent app opens. You can still use your password as a fallback at any time.
Step-Up Multi-Factor Authentication (MFA)
Danipa Pay uses step-up authentication for sensitive actions like enabling features, changing security settings, large transfers, or account deletion. Step-up means you authenticate at the moment the action happens — not just at login.
You can enroll any combination of three methods. Enrolling more than one is recommended so you have a backup if you lose access to your primary method.
Available Methods
| Method | What it is | When to use it |
|---|---|---|
| Passkey | Phishing-resistant cryptographic credential bound to your device biometrics (Face ID / fingerprint). | Best default — fastest, most secure, no codes to type. |
| TOTP | Time-based one-time password from an authenticator app (Google Authenticator, 1Password, Authy, etc.). | Good cross-device option — works even if your phone is offline. |
| SMS Code | One-time code sent to your registered phone number. | Lowest-friction backup, but vulnerable to SIM-swap attacks. Don't rely on SMS as your only method. |
Enrolling a Passkey
- Go to Profile → Security → Passkeys.
- Tap Register Passkey.
- Confirm with your device biometrics (Face ID or fingerprint).
The passkey is now bound to this device. Repeat the steps on each device you use Danipa Pay on. You can list, name, and delete passkeys from the same screen.
Passkeys aren't supported on every device — older Android versions and some web browsers may not have the underlying WebAuthn support. The screen will tell you if your device isn't compatible.
Enrolling TOTP
- Go to Profile → Security → TOTP.
- Tap Set Up TOTP.
- Scan the QR code with your authenticator app, or enter the secret manually.
- Type the 6-digit code from your authenticator into the verify field.
- Tap Enable.
After enabling, the app shows a list of recovery codes — save them in a safe place (password manager, printed sheet). They're your only way back in if you lose access to your authenticator.
Enrolling SMS
- Go to Profile → Security → SMS Code.
- Tap Enable SMS MFA.
- Confirm your phone number, then enter the OTP that arrives by text.
Security note: SMS is convenient but is the least secure of the three methods. Use it as a backup, not your primary method.
Disabling a Method
Each method has a Disable action on the Security screen. Disabling requires a step-up challenge using one of your other enrolled methods (you can't disable your only MFA method without enrolling a replacement first — by design).
When You'll Be Asked to Step Up
Step-up MFA is required for:
- Sending money above your daily threshold.
- Adding or removing a recipient.
- Changing security settings (PIN, biometrics, MFA enrollment).
- Initiating account deletion.
- Other sensitive actions identified by our risk engine.
Step-up tokens are short-lived. If you start a sensitive action and then walk away, the token expires and you'll be re-challenged when you return.
Account Settings
Change Password
Passwords are managed by your identity provider. Go to Profile → Account → Change Password and follow the prompts. You'll be asked to step up via MFA before the change takes effect.
Update Phone Number
- Profile → Account → Phone Number.
- Enter the new number; an SMS code is sent to confirm.
- Step up via your enrolled MFA method (passkey, TOTP, or — if it's your only enrolled method — the OTP sent to the new number).
Update Email
- Profile → Account → Email.
- Enter the new email; a verification link is sent.
- Click the link from the device you want to authenticate from.
Logout / Sign Out of All Devices
- Logout — sign out of the current device only.
- Sign out of all devices — invalidates every active session everywhere; use this if you suspect a device has been lost or compromised.
Frequently Asked Questions
What's the difference between transaction PIN and MFA?
Your PIN authorizes routine transactions. MFA is a higher-assurance challenge for sensitive actions (e.g., disabling MFA itself, deleting your account). The PIN is fast; MFA is secure. Both have their place.
What if I lose access to all my MFA methods?
Use your TOTP recovery codes. If those are also lost, you'll need to verify identity through a manual support process (government ID + selfie). Plan ahead — enroll at least two methods.
Is biometric login the same as a passkey?
No. Biometric login uses your device biometrics to unlock a saved login session — it's a convenience feature. A passkey is a cryptographic credential that proves to Danipa's servers that the right person is authenticating. Both use Face ID/fingerprint at the moment of use, but only passkeys are phishing-resistant.
Can someone bypass MFA by stealing my phone?
No — MFA requires the device biometrics or your PIN/password as a second factor. Stealing the unlocked phone alone isn't enough. Lock your phone with a strong passcode or biometrics; that's the most important habit.
Does Danipa Pay work with hardware security keys?
Yes — passkeys work with platform authenticators (Face ID / fingerprint), with iCloud Keychain / Google Password Manager (cross-device), and with hardware security keys that support WebAuthn (YubiKey, etc.).