← Authentication & security

High-risk actions

A user can do a lot with Banno Apps and Banno Enterprise, but not all actions are created equal. Some actions are more risky than others, such as transfers to an external institution. For instances that could compromise the security of your users’ accounts, Banno apps require an extra level of authentication. We call these actions “high-risk actions.” Want to know what actions are included and how it works? Read on.

High-risk authentication

When Banno Apps and Enterprise detect a high-risk action, the user is prompted to re-enter their password. The user must enter a correct password before continuing the high-risk action. After a high-risk action is completed, an an email is sent to the email address on file for the account.

Index of high risk actions

Banno apps maintain a balance to ensure high-risk actions include significant actions, but aren’t so prevalent that they frustrate the end user. It can be hard to keep track of which actions are high-risk, so we’ve compiled a list below.

All users

  • Changing password
  • Changing username

Banno Mobile/Online only

  • Edit username
  • Edit user address
  • Edit user email
  • Edit user phone number
  • Reset 2FA
  • Adding an external or aggregated account
  • Adding or updating a bill payee
  • Adding an external transfer account
  • External transfer over a given amount, if configured
  • Enroll in Symantec
  • Initiate wires and batches
  • Zelle
    • Payments to a first time contact
    • Accepting a request for payment
    • Creating a contact
    • Adding a recipient

Enterprise only

  • Changing 2FA settings, including reset for a user
  • Managing security settings

Banno Business

  • Initiating an ACH batch
  • Initiating a wire


Why is a password required instead of receiving a 2FA code?
2FA is only used to log into the app. Re-entering the password provides an additional security mechanism. It helps ensure the authorized user utilizes the app and prevents an unauthorized user from hijacking an account.

Once logged into the app, using password entry prevents (for example) another individual who steals the user’s phone and attempts to create a payee. If they receive a 2FA code, the code comes to the very phone the unauthorized user’s on, and they create a new payee.

How long are users considered high-risk authenticated?
Once a user completes a high-risk authentication, including during login, they will not have to re-authenticate for high-risk actions for the next 10 minutes.