← Authentication & security

Account recovery

When Banno Apps end users forget their credentials or get logged out of their accounts, they can click the Forgot? link at sign in to recover their accounts. This self service account recovery allows end users to reset their passwords without the need to contact support. Who doesn’t love quick and easy?

How it works

When an end user clicks the Forgot? link when logging in, they can simply enter two pieces of information:

SSN, EIN, or ITIN
Account number

This prompts the end user to complete a two-factor authentication. After a successful two-factor authentication, the user can create a new password and log in. It’s that simple.

Special cases

Sometimes, an end user may have a different experience based on their account.

The end user is not enrolled in Banno and does not have NetTeller or Episys credentials: The end user is taken to the enrollment screen when they click Forgot? and can complete the enrollment process.
The end user is not enrolled in Banno but has existing NetTeller or Episys credentials: These end users cannot use Account Recovery by username. When attempted, the end user recieves an error message and is prompted to enroll. Alternatively, the end user may recover via TIN and account number instead. When selected, they are prompted to set up their email and phone number before continuing account recovery.
The end user is enrolled in Banno but does not have two-factor authentication configured: The end user is prompted to set up their email and phone number before continuing account recovery.

Additional security via recovery link

Account recovery is a common target for phishing attempts by malicious actors. In order to offer the best security for your end users, we enable an account recovery link functionality by default. The end user is sent a magic link via their choice of email or SMS before completing the two-factor authentication step of account recovery. This link takes the end user back to the app, verifying that they are on the same device that requested account recovery and preventing malicious actors from intercepting the reset request and setting their own password.

This link verifies the following based on the platform the end user is attempting account recovery from:

Mobile: The link verifies that it was followed from the same device that made the account recovery request.
Online: The link verifies that it was followed from the same computer and web browser that made the account recovery request.

If we detect that the link was followed from a different source than the original request, the user will receive an error and be sent back to the beginning of the login process.

FAQ

Can account recovery lock out an account?

Yes, if an end user has too many failed attempts to recover their password, an error message stating Too many attempts displays on the screen. They have the option to Close the error message or contact your institution by clicking Call now. Their account locks for 24 hours before they can attempt password recovery again. The number of failed attempts permitted before the account locks depends on the information the customer uses for recovery:

Banno username: 5 failed attempts
ITIN: 5 failed attempts
EIN: 5 failed attempts
SSN: 5 failed attempts
Account number: 5 failed attempts
IP address: 50 failed attempts

Is account recovery available to cash management users?

Yes, end users utilizing cash management features can use the account recovery feature.

If an end user receives a password reset email and then remembers their password, do they still need to reset their password before logging in?

If the end user remembers their password, they can login without resetting it.