Back to Blog

US Bank’s Over-Zealous Login Lockout

Looking for the ultimate in frustration? Try this sometime. Go to all of your bank, brokerage and credit card accounts and enter the correct username, then make up passwords and hit enter until you are locked out of your account. 

For research on a previous report in our Online Banking Report (here), I locked myself out of more than a dozen accounts. That was almost four years ago, and I have no plans to do that again, ever. However, yesterday, through a bit of miscommunication with my wife (note 1), we found ourselves locked out of our account at US Bank.

Due to this inadvertent bit of research, I found out that US Bank has added a "lock-out alert" (one step forward) to its messaging services, but fails to tell users what is going on and how to resolve it (two steps backwards). Here's what the alert looks like (see notes 2 & 3):

US Bank lock-out email message


  • The alert (above) needs to tell users EXACTLY what to do next. US Bank correctly tells the 1% of users what to do if the failed login was not imitated by them (call the bank), but the bank fails to explain to the other 99%, who simply forgot their password, what they should do.
  • The screen displayed after lockout (see below) also must tell users EXACTLY what to do. US Bank's message to frustrated users: "Internet Banking is unable to verify the information you've entered. Please confirm your Personal ID and password." At the very least the bank should empathize with the user and explain the possible causes of the problem and link them to the password reset screen.  
  • Don't lock out users after only three or four attempts: US Bank locked my wife out after 3 or 4 trys, more stringent that the six allowed in our test four years ago. That is just too few. Most users who make a mistake (attempt 1), will retype the exact same info (attempt 2), then try once more paying very close attention to their typing (attempt 3), before trying a different password (attempt 4). So at minimum you must allow four tries. Even better is 5 or 6 or up to ten. The cost in customer service for locking out at 3 or 4 attempts is far more than any fraud that will be prevented with such strict measures.
  • Help users remember they created a new password: In our case, if the on-screen error message had said, "You recently changed your password, are you using the new one?", the whole episode could have been avoided. Instead, US Bank gives no information to its customers (see screenshot below). It doesn't even explicitly tell them they entered the wrong username/password. It just drops them onto this blank page that has a vague message about logging in.
  • Warn users before lockout: Tell users they are about to be locked out, with a warning, "One more incorrect attempt will lock you out of your account. If you've forgotten your username or password, click here." 
  • Let users back in after lockout: The last time we tested, US Bank allowed users to log back in 24 hours after lockout if they remember their username and password (note 4). That's a good policy, but why 24 hours? Why not 12 hours, or 3 hours, or 1. If you have the correct username and password, why should you not be allowed back into your account after a relatively short period of time? 

Enough with the rant. I know these policies are in place to discourage unauthorized entry. But you also shouldn't run up your customer service costs, not to mention irritating customers, with arbitrary lockout parameters.

US Bank's screen after an unsuccesful login attempt gives almost zero info


1. Anyone with a joint checking account can probably recognize that "a bit of a miscommunication," is a euphemism for, "I forgot to tell her I changed the password."

2. An alert is generated for each failed attempt. We receive three identical messages. The email address has been erased from the screenshot.

3. Note the email is generated from the URL,, which cannot be verified through direct navigation (it results in an error message). That's phishy looking. Emails should carry the normal, user-recognizable URL, in this case, If that's not practical, at least post a page at the email URL verifying that the URL is genuine.

4. It's been about 16 hours since lockout, and we still cannot get back into the account.