← Authentication & security
View our How-to guide

Account recovery

When Banno Apps end users forget their credentials or get logged out of their accounts, they can click the Forgot? link at sign in to recover their accounts. This self service account recovery allows end users to reset their passwords without the need to contact support. Who doesn’t love quick and easy?

How it works

When an end user clicks the Forgot? link when logging in, they can simply enter two pieces of information:

  1. SSN, EIN, or ITIN
  2. Account number

This prompts the end user to complete a two-factor authentication. After a successful two-factor authentication, the user can create a new password and log in. It’s that simple.

Special cases

Sometimes, an end user may have a different experience based on their account.

The user is not enrolled in Banno and does not have NetTeller or Episys credentials
The user is taken to the enrollment screen when they click Forgot? and can complete the enrollment process.
The user is not enrolled in Banno but has existing NetTeller or Episys credentials
The user is prompted to set up their email and phone number before continuing account recovery.
The user is enrolled in Banno but does not have two-factor authentication configured
The user is prompted to set up their email and phone number before continuing account recovery.

Account recovery is a common target for phishing attempts by malicious actors. In order to offer the best security for your end users, we recommend contacting your support representative to enable the account recovery link feature.

When enabled, the end user will be sent a magic link via their choice of email or SMS before completing the two-factor authentication step of account recovery. This link will take the user back to the app, verifying that they are on the same device that requested account recovery and preventing malicious actors from intercepting the reset request and setting their own password.

This link verifies the following based on the platform the end user is attempting account recovery from:

Mobile
The link verifies that it was followed from the same device that made the account recovery request.
Online
The link verifies that it was followed from the same computer and web browser that made the account recovery request.

If we detect that the link was followed from a different source than the original request, the user will receive an error and be sent back to the beginning of the login process.

FAQ


Can account recovery lock out an account?
Yes, if an end user has too many failed attempts to recover their password, their account will lock for 24 hours before they can attempt password recovery again. The number of failed attempts permitted before the account locks depends on the information the customer uses for recovery:
Banno username
5 failed attempts
ITIN
5 failed attempts
EIN
5 failed attempts
SSN
5 failed attempts
Account number
5 failed attempts
IP address
50 failed attempts