← Authentication & security

Authentication & security

View our How-to guide

Banno offers multiple features to ensure authentication of your end users, as well as keep their information safe and secure.

Self-enrollment

End users can enroll themselves without needing to go through your institution for that process. First-time end users can select First time user? Enroll now. on the sign-in screen, which displays an enrollment wizard where they enter their information, complete 2FA, accept the user agreement, and create credentials and a PIN. A tutorial then appears to walk the new end user through the app.

Two-factor authentication

Banno uses two-factor authentication (2FA) to keep your end users’ information safe by adding an additional layer of security. 2FA is a method of confirming a user’s identity by requiring two of three pieces of evidence:

  • Something you know (like a password)
  • Something you have (like a phone or security token)
  • Something you are (biometric data)

When your end user signs in to their online bank account using their credentials (something they know), they’re sent an SMS message by cell phone with a password to verify their identity. The SMS message is sent outside the context of the Banno application (something they have), making it a two-factor authentication method.

To mitigate the threat of guessed or stolen credentials, Banno requires 2FA for two scenarios:

  • It’s the end user’s first time interfacing with your app.
  • A new device is being used to access bank accounts.

To get started on the Banno Platform, new end users:

  1. Sign in to establish their first authentication factor: something they know (their credentials) or something they are (like a fingerprint).
  2. Create an account using their personal identifiable information.
  3. Carry over their username and password associated with your institution’s current online banking solution.
  4. Receive a username and temporary password issued by your institution.
  5. Designate their second authentication factor, which is something they have (like a phone).

Banno keeps tabs on the devices and browsers that are signing in to user accounts by using device IDs and browser fingerprinting. Whenever end users attempt to sign in on a device that the Banno service layer doesn’t recognize, they are asked to prove their identity using 2FA in case their credentials are compromised.

End users can reset 2FA settings within the Security option on the Settings menu. Your institution can reset 2FA for end users in Banno People under Permissions. This reset is a high-risk action, so institution users must enter their password to reset 2FA for end users.

Offline mode

Institutions can enable offline mode, as well as edit settings and save an offline mode message within Banno People under the Offline mode option on the Settings menu.

During offline mode, end users have access to certain banking features and data. An offline mode banner appears in the app during offline mode and can’t be dismissed. First-time end users who have never signed in before aren’t able to sign in to Banno during offline mode.

Offline mode is disabled by default. When enabled, a Notification message field appears. There is default text available for the offline mode message, but your institution can customize the text. Institution users must be in the Security group and have Manage all of People permissions to edit offline mode settings.

This feature is not supported for credit unions and is not available to Cash Management users.

Device management

End users with a stolen or lost device can log on from a different device and deauthorize the offending device. For mobile clients, this wipes all the user data the next time the device contacts a Banno server. For web clients, this requires a full 2FA login even if the user selected Remember this computer.

Devices that have been used to access Banno Online appear in the Devices section of the Security screen. End users can have their devices deauthorized for Banno Online use in two ways: They can perform self-service action, or someone from your institution can deauthorize the device for them from Banno People. If end users lose a device or if someone steals their credentials, they can deauthorize the compromised device from a separate, authorized device within the Security option on the Settings menu.

Multiple signed-in users

End users can sign in to multiple user profiles and quickly switch between them by using a PIN instead of entering a username and password. They must add a profile to create secondary accounts so that they can switch between profiles easily. After adding a profile, multiple signed-in users appear at the top of the main menu, or selecting Switch lets them switch between the profiles and view the user list. End users receive push notifications for all signed-in profiles.

Rate limiting

Rate limiting occurs if an IP address appears to be suspicious. IPs that have high failure rates and a high percentage of failures are blocked until such a time as they quit attempting to login for some time. The exact specifics of this criteria is not shared publicly and is adjusted over time. Institutions can monitor their current overall rate limiting on the dashboard of Banno Reports.

Surprisingly, rate limiting is commonly triggered by employees at financial institutions that have recently converted to Banno entering invalid credentials. To combat this, internal network IPs of your institution are requested by Banno implementation coordinators so that they can be whitelisted.