Jack Henry Identity
Jack Henry Identity is an enterprise-level authentication service, meaning it verifies the identity of financial institution employees when they attempt to log into various Jack Henry applications. Jack Henry Identity is the go-forward enterprise authentication solution at Jack Henry, so over time, more products will integrate with it, creating a unified login experience across Jack Henry products for employees at your financial institution.
Which Jack Henry products are supported?
Jack Henry Identity is currently being implemented for Banno Digital Platform and LoanVantage customers. As other products begin to integrate to Jack Henry Identity, financial institution employees will be able to use their Jack Henry Identity login credentials to access these products too. Xperience SSO functionality will not be affected, and will continue to work as it does today. Please note that Jack Henry Identity will have no effect on your end users.
How does Jack Henry Identity work?
You can think of Jack Henry Identity in the same way you’d think about any other third-party authentication provider like Okta, Entra ID, or PingID, to name a few. When you log into an application, these providers verify your identity via password credentials and 2FA before you can get into the system, ensuring access is limited only to authorized users. Not only that, but authentication providers also manage user identities in the background, keeping track of their credentials so that their information can be accurately verified at login.
Rather than each Jack Henry product using a different service for this enterprise authentication, Jack Henry Identity is a shared service that other Jack Henry products can integrate with so that your enterprise users will eventually only have to maintain a single set of login credentials for all their Jack Henry products. In the interim, while you still have a mix of Jack Henry Identity-integrated and non-integrated products, your enterprise users will still have to maintain separate credentials for different products.
It is important to note that while Jack Henry Identity facilitates the overarching authentication framework, the crucial aspects of user management and the assignment of specific user permissions are handled by distinct, specialized platform services. We are planning to integrate Jack Henry Identity with various identity providers, such as Active Directory and Google Identity, which will make it easier for you to map over existing enterprise user roles, permissions, and credentials to Jack Henry Identity.
Login experience
Before an enterprise user can create their credentials and perform initial login, they must first receive and accept an invite to create an account. At initial login, enterprise users will be prompted to create and verify their password, set up an authentication method, and complete their user profile. In subsequent login attempts, enterprise users will navigate to the respective product application login screen, be re-directed to the Jack Henry Identity login experience, and continue through the authentication flow with their email, password, and 2FA method.
Enterprise users must be granted one of two permissions within Users & Groups before they can log into products via Jack Henry Identity. If your financial institution does not have the Xperience SSO configured, then enterprise users must use the Permit sign in via Banno option.
- Permit sign in via Banno
- Allows a user to log in via banno.com.
- Permit sign in via Xperience
- Allows a user to access Banno Admin apps in Xperience without needing to re-authenticate. (This permission is only available for Banno. For non-Banno products, an enterprise user must have the Permit sign in via Banno permission because Jack Henry Identity currently only supports browser-based authentication.)
Note: In the short term, you may notice references to Banno, even if you are not a Banno customer. This is because Jack Henry Identity was initially developed as a Banno solution. Eventually, all Banno references will be updated to the more universal Jack Henry Identity term.
Password requirements:
- Passwords must match
- At least 1 number required
- Password should be between 16 and 128 characters in length
- Password should have at least 1 lowercase letter
- Password should have at least 1 special character
- Password should have at least 1 uppercase letter
Supported 2FA methods:
- Voice/Text
- Authenticator app
- FIDO security key
Eventually, Jack Henry Identity will offer all the same authentication methods as our consumer authentication framework, Unified Identity Service.
User profile fields:
- First Name (required)
- Last Name (required)
- Phone Number
- Timezone
- Profile Photo
Edit profile and security preferences
Today, enterprise users manage their profile and security preferences through Users & Groups.
In the near future, this functionality will also be accessible through login.jackhenry.com, which will take users to the new Jack Henry Identity experience where they can edit their own profile and security preferences. Enterprise users who go to change their profile or security settings within Users & Groups will be redirected to this new experience.
Within Jack Henry Identity, enterprise users can view and edit their profile and security details by selecting their profile in the bottom left corner. On the Profile tab, they can edit their first name, last name, phone number, or timezone. From the Security tab, enterprise users can configure their 2FA methods and reset their username or password.
Active Directory considerations
If your financial institution wants to integrate your Active Directory password store and profile system of record, then profile edits and security preference changes will be managed through Active Directory instead of Jack Henry Identity. In this scenario, Active Directory will be the source of truth for enterprise users’ credentials and Jack Henry Identity will simply verify against Active Directory’s credential store whenever an enterprise user tries to authenticate.
Password resets
Once enterprise users can reach Jack Henry Identity through login.jackhenry.com, they will be able to reset their password by going to their profile, navigating to the Security tab, and editing their password. Before changing their password, they will be prompted to authenticate themselves through their configured 2FA method.
Active Directory considerations
If your financial institution wishes to integrate your Active Directory credential store, the self-service password reset option will no longer appear in Jack Henry Identity and password rules and resets will instead be managed through Active Directory following your IT recovery process.
FAQ
- Is logging in via banno.com/a/login still supported?
- As of October 27, 2025, all users accessing Banno Admin at https://banno.com/a/login will be redirected to https://login.jackhenry.com to enter credentials. If a user navigates directly to the new login URL’s instead of starting at a product-specific URL (such as https://banno.com/a/login), they will be able to authenticate but will not be redirected to any product’s URL. Instead, they will land on their Profile and Security account settings page.