Authentication & security

Our devices are with us wherever we go. Whether we’re at home, at work, or on the go, we expect access to everything we need at all times—and our finances are no exception. But having everything at your fingertips means it’s that much closer to potential cyber criminals. That’s why our developers work tirelessly to enforce the strictest security standards for Banno Apps. Whether it’s secure authentication or end-to-end encryption, Banno Apps make sure your customers are always secure, no matter where they’re taking their finances today.

How does Banno stay secure?

When it comes to security, knowledge is power. That’s why our dedicated Security team reviews security breaches for the biggest tech companies in the world, utilizes the most up-to-date security standards, and undergoes rigorous security reviews and testing to ensure Banno Apps are as secure as possible. Need more specifics? We’ve got you covered.

Account Recovery

When Banno Apps end users forget their credentials or get logged out of their accounts, they can click the Forgot? link at sign in to recover their accounts. This self service account recovery allows end users to reset their passwords without the need to contact support. Who doesn’t love quick and easy?

How it works

When an end user clicks the Forgot? link when logging in, they can simply enter two pieces of information:

SSN, EIN, or ITIN
Account number

This prompts the end user to complete a two-factor authentication. After a successful two-factor authentication, the user can create a new password and log in. It’s that simple.

Special cases

Sometimes, an end user may have a different experience based on their account.

The end user is not enrolled in Banno and does not have NetTeller or Episys credentials: The end user is taken to the enrollment screen when they click Forgot? and can complete the enrollment process.
The end user is not enrolled in Banno but has existing NetTeller or Episys credentials: These end users cannot use Account Recovery by username. When attempted, the end user recieves an error message and is prompted to enroll. Alternatively, the end user may recover via TIN and account number instead. When selected, they are prompted to set up their email and phone number before continuing account recovery.
The end user is enrolled in Banno but does not have two-factor authentication configured: The end user is prompted to set up their email and phone number before continuing account recovery.

Additional security via recovery link

Account recovery is a common target for phishing attempts by malicious actors. In order to offer the best security for your end users, we enable an account recovery link functionality by default. The end user is sent a magic link via their choice of email or SMS before completing the two-factor authentication step of account recovery. This link takes the end user back to the app, verifying that they are on the same device that requested account recovery and preventing malicious actors from intercepting the reset request and setting their own password.

This link verifies the following based on the platform the end user is attempting account recovery from:

Mobile: The link verifies that it was followed from the same device that made the account recovery request.
Online: The link verifies that it was followed from the same computer and web browser that made the account recovery request.

If we detect that the link was followed from a different source than the original request, the user will receive an error and be sent back to the beginning of the login process.

FAQ

Can account recovery lock out an account?

Yes, if an end user has too many failed attempts to recover their password, an error message stating Too many attempts displays on the screen. They have the option to Close the error message or contact your institution by clicking Call now. Their account locks for 24 hours before they can attempt password recovery again. The number of failed attempts permitted before the account locks depends on the information the customer uses for recovery:

Banno username: 5 failed attempts
ITIN: 5 failed attempts
EIN: 5 failed attempts
SSN: 5 failed attempts
Account number: 5 failed attempts
IP address: 50 failed attempts

Is account recovery available to cash management users?

Yes, end users utilizing cash management features can use the account recovery feature.

If an end user receives a password reset email and then remembers their password, do they still need to reset their password before logging in?

If the end user remembers their password, they can login without resetting it.

Offline Mode User Experience

Because of the different end user login experience between Banno Online and Banno Mobile, Offline mode applies only to Banno Online. Online end users must enter their credentials with every login, while the majority of Mobile end users remain authenticated even if they aren’t using the app.

Enable Offline Mode

Banno People
Settings
Offline mode

In Banno People, create and enable a message for all end users to view in the app.

Banks

Existing end user

An existing end user is someone who has previously enrolled or logged on to Banno. When your institution enables Show message to users or Core offline, an existing end user can successfully:

Log on to Banno Mobile 24/7.
Access available features.
View their most recent account information synced from the Banno layer.

The Message displays across the top of the login, dashboard, and change profile pages. When an end user accesses Banno Online via a deep link or passkey, the Message displays in the app but the end user can close the notification. This approach ensures that end users who bypass the login and dashboard pages still receive the notification initially; however, such users will need to view the dashboard for the message to display again.

New end user

A new end user is someone who hasn’t enrolled or hasn’t previously logged on to Banno. When your institution enables Offline mode, a new user’s experience differs from an existing user’s experience. On the login page, the notification message still shows to all users, but a new user who attempts to log in receives the following error message, “Oops! We’re currently in maintenance mode and are unable to process your request. We apologize for the inconvenience. Please try again later.”

A new user can successfully log in when Offline mode is disabled.

Credit unions

When your institution enables Show message to users, the Message displays across the top of the login, dashboard, and change profile pages. When core is down for credit unions, end users are unable to login to Banno Online. They can’t login on to Mobile with their username and password, but they can login with their PIN or biometrics and see cached data.

Your website is the front door to online banking, so it makes sense to let your customers start the process of signing in from there. With Banno, security and delightful experiences are in equal tension, creating a powerful platform for you and your users.

You can enable signing in from your website by adding a simple HTML form to your site that asks for a username. Once a user submits that form, they are taken to the online banking site where they can enter their password followed by two-factor authentication challenges.

Make sure to get some help from a web developer or a designer.

Use this code, or something like it, to place the form on your site:

<form method="POST" action="https://my.ovation-fi.com/login" autocomplete="off">
  <label>
    Username
    <input type="text" name="username" spellcheck="off" autocorrect="off" autocapitalize="off" required>
  </label>
  <button type="submit">Sign in</button>
  <a href="https://my.ovation-fi.com/forgot">Forgot?</a>
  <a href="https://my.ovation-fi.com/enroll">Enroll</a>
</form>

Password entry is not supported from the remote sign in form. If it’s sent, it will be ignored and the user will have to enter it again.

Session Timeouts

For security reasons, users are automatically logged out from from their accounts after a set amount of time. Users will need to re-enter their credentials to keep using their app after these timeout periods.

Banno Online

Banno Online users are logged out after 20 minutes of inactivity. Active users will be forced to log out after 24 hours.

Banno Mobile

Banno Mobile users will not be logged out automatically provided they actively use the app. Mobile users will only be logged out if they do not use the mobile app for 90 days.

Users attempting to log in may also time out. For example, if a user has entered their username and password, but have not entered their two-factor authentication code, they will have to re-enter their username and password after a set period.

Active users logging in have 10 minutes to complete the login process. Inactive users will be logged out after five minutes during the log in process.

Users performing a high risk action will have 5 minutes to complete the log in process, regardless of activity.

FAQ

Which security exams does Banno undergo?: In addition to the FFIEC security exams and SOC2 audits you’d expect from your fintech provider, Banno adheres to a host of rigorous exams and security practices every day. A full list of security and compliance measures can be found in our Due Diligence packet.
Can users sign out of Banno apps?: It’s typically unnecessary to sign out of Banno Mobile or Banno Online if the user has signed in on their own devices due to the enforcement of 4-digit pin and biometrics on Mobile and a session timeout in Banno Online.

To sign out of Banno Mobile, the user must be connected to the internet. This is crucial so that we can clear device and push notification information from the Banno service. If there is a network error, the user will be shown a message to retry signing out.