← Authentication & security

Authentication & security

Banno offers multiple features to ensure authentication of your end users, as well as keep their information safe and secure.


End users can enroll themselves without needing to go through your institution for that process. First-time end users can select First time user? Enroll now. on the sign-in screen, which displays an enrollment wizard where they enter their information, complete 2FA, accept the user agreement, and create credentials and a PIN. A tutorial then appears to walk the new end user through the app.

Two-factor authentication

Banno uses two-factor authentication (2FA) to keep your end users’ information safe by adding an additional layer of security. 2FA is a method of confirming a user’s identity by requiring two of three pieces of evidence:

  • Something you know (like a password)
  • Something you have (like a phone or security token)
  • Something you are (biometric data)

When your end user signs in to their online bank account using their credentials (something they know), they’re sent an SMS message by cell phone with a password to verify their identity. The SMS message is sent outside the context of the Banno application (something they have), making it a two-factor authentication method.

To mitigate the threat of guessed or stolen credentials, Banno requires 2FA for two scenarios:

  • It’s the end user’s first time interfacing with your app.
  • A new device is being used to access bank accounts.

To get started on the Banno Platform, new end users:

  1. Sign in to establish their first authentication factor: something they know (their credentials) or something they are (like a fingerprint).
  2. Create an account using their personal identifiable information.
  3. Carry over their username and password associated with your institution’s current online banking solution.
  4. Receive a username and temporary password issued by your institution.
  5. Designate their second authentication factor, which is something they have (like a phone).

Banno keeps tabs on the devices and browsers that are signing in to user accounts by using device IDs and browser fingerprinting. Whenever end users attempt to sign in on a device that the Banno service layer doesn’t recognize, they are asked to prove their identity using 2FA in case their credentials are compromised.

End users can reset 2FA settings within the Security option on the Settings menu. Your institution can reset 2FA for end users in Banno People under Permissions. This reset is a high-risk action, so institution users must enter their password to reset 2FA for end users.


When end users log in to Banno Apps, they can authenticate with two steps by entering a username and password and completing a 2FA challenge. Both these steps have their own security vulnerabilities that persist despite industry efforts to minimize them.

For end users who log in to Banno Online using a passkey—by clicking Sign in with a passkey—they’re offered a safer and easier login experience that eliminates the need to enter a password and complete 2FA. Passkeys, a standard created by the FIDO Alliance and the World Wide Web Consortium, consist of a public and private pair. The public key registers with the app or website, and the private key stores on the end user’s device in their chosen passkey manager.

Passkeys can be synchronized across end user devices in the same ecosystem. For example, passkeys created on iOS or in Safari on macOS are stored in iCloud Keychain. Passkeys created in Chrome on Android are stored in the Google Password Manager. Development of passkey support by both Apple and Google is ongoing.

The app or website that the end user logs in to—including the Banno Digital Platform—does not store private passkeys. For example, if an end user is logged in to their Google account on their iPhone, they can log in to Banno Online from their Android tablet and use their iPhone to authenticate their identity. Access to private passkeys within an ecosystem’s passkey manager is controlled by the individual end user’s device biometrics that they already use to log in to their device (PIN, fingerprint, etc.). The Banno Digital Platform has no access to an end user’s biometric information.

For more details and an FAQ on how end users log in to Banno Online using passkeys, check out Sign in with a passkey.

Offline mode

Institutions can enable offline mode, as well as edit settings and save an offline mode message within Banno People under the Offline mode option on the Settings menu.

During offline mode, end users have access to certain banking features and data. An offline mode banner appears in the app during offline mode and can’t be dismissed. First-time end users who have never signed in before aren’t able to sign in to Banno during offline mode.

Offline mode is disabled by default. When enabled, a Notification message field appears. There is default text available for the offline mode message, but your institution can customize the text. Institution users must be in the Security group and have Manage all of People permissions to edit offline mode settings.

This feature is not supported for credit unions and is not available to Cash Management users.

Device management

End users with a stolen or lost device can log on from a different device and deauthorize the offending device. For mobile clients, this wipes all the user data the next time the device contacts a Banno server. For web clients, this requires a full 2FA login even if the user selected Remember this computer.

Devices that have been used to access Banno Online appear in the Devices section of the Security screen. End users can have their devices deauthorized for Banno Online use in two ways: They can perform self-service action, or someone from your institution can deauthorize the device for them from Banno People. If end users lose a device or if someone steals their credentials, they can deauthorize the compromised device from a separate, authorized device within the Security option on the Settings menu.

Multiple signed-in users

End users can sign in to multiple user profiles and quickly switch between them by using a PIN instead of entering a username and password. They must add a profile to create secondary accounts so that they can switch between profiles easily. After adding a profile, multiple signed-in users appear at the top of the main menu, or selecting Switch lets them switch between the profiles and view the user list. End users receive push notifications for all signed-in profiles.

Rate limiting

Rate limiting occurs if an IP address appears to be suspicious. IPs that have high failure rates and a high percentage of failures are blocked until such a time as they quit attempting to login for some time. The exact specifics of this criteria is not shared publicly and is adjusted over time. Institutions can monitor their current overall rate limiting on the dashboard of Banno Reports.

Surprisingly, rate limiting is commonly triggered by employees at financial institutions that have recently converted to Banno entering invalid credentials. To combat this, internal network IPs of your institution are requested by Banno implementation coordinators so that they can be whitelisted.


When an end user chooses how to receive a 2FA code, one of their options is to select “Text message/SMS (2FA program)”. Can an institution remove “2FA program” or customize the text?
The text cannot be removed or edited, because cell phone carriers require listing a program name.