This ScotiaConnect access guide covers the authenticated-portal sign-in flow that commercial users see after a new profile is created: welcome email, enrolment, password set, second-factor binding, and the first clean sign-in. It is an informational walkthrough for readers preparing to onboard a team, not a live support channel.
A clean first ScotiaConnect sign-in depends on three things being correct before the user even opens the enrolment page: the welcome email has arrived, the second-factor device is ready, and the user's role and permissions have been configured by the client security officer.
The ScotiaConnect first-time sign-in sequence assumes a named user already has a company profile, a role with explicit permissions, and a pending second-factor enrolment. The client security officer completes those steps inside the administration console before releasing the welcome email to the user. Until that release happens, the enrolment page will not accept the user ID, and the second-factor binding will not approve.
Users on a new device should install the approved mobile soft-token app, or unbox the hardware token supplied by the security officer, before starting enrolment. The enrolment flow expects the second factor to be available in the same session, and re-starting the flow mid-way can invalidate the one-time activation code. The security standards page explains the control model that sits behind these steps.
The mobile banking app is a separate install and a separate sign-in path after the desktop-side enrolment is complete. Mobile-first enrolment is not supported for commercial profiles because the device-binding step requires the security officer's parallel approval and that approval happens in the desktop admin console.
Step one is opening the ScotiaConnect welcome email sent by the security officer. That email contains the user ID, a link to the enrolment page, and a one-time activation code valid for seventy-two hours. Users should complete the remaining steps inside that window — an expired code forces the security officer to reissue the welcome email.
Step two is visiting the enrolment page on a supported desktop browser and entering the user ID plus the activation code. Step three is setting a password that meets complexity requirements and does not match the last ten generations. Step four is enrolling the second factor — either the mobile soft-token (scan a binding QR code) or the hardware token (enter the seed code on the back of the device).
Step five is confirming device binding by entering the first challenge code. The security officer receives a binding notification and typically approves within one business day; ScotiaConnect does not release full payment permissions until the binding is approved. Step six is the first clean sign-in: user ID, password and second-factor code. The session is active and the account reporting surfaces are visible immediately.
The eight rows below cover first-time enrolment, daily sign-in, and the most common fallback scenarios. Each row names the step, the user action, the expected outcome inside ScotiaConnect, and the fallback path when the step does not behave as expected.
| Step | Action | Expected result | Fallback |
|---|---|---|---|
| 1. Welcome email | Open message and note activation code | 72-hour window opens | Expired: ask officer to reissue |
| 2. Enrolment page | Enter user ID and activation code | Password-set form appears | Rejected: confirm officer released profile |
| 3. Password set | Choose a password meeting complexity rules | Confirmation, continue to 2FA | Failed complexity: adjust length or characters |
| 4. Second-factor enrol | Scan QR or enter hardware seed | Binding started, awaiting approval | Scan fails: use manual seed entry |
| 5. Device confirmation | Enter first challenge code | Binding approved within 1 business day | Delay: escalate via security officer |
| 6. First sign-in | Enter user ID, password, second-factor code | Session active, dashboard visible | Locked: officer must reset after 3 fails |
| 7. Daily sign-in | Enter credentials, provide step-up when prompted | Session active, defaults to 8 hours | Browser cache stale: clear and retry |
| 8. Password reset | Use forgot-password link, answer knowledge Qs | Reset email within 5 minutes | Knowledge Q fails: officer resets manually |
After the first sign-in, daily access is a short three-field form: user ID, password, second-factor code. A step-up authentication prompt appears inside the session before sensitive actions such as wire release, positive-pay decisions or user-profile edits. The step-up code is a fresh second-factor reading, not a reuse of the sign-in code. Sessions default to fifteen-minute inactivity timeout and eight-hour absolute length; the client security officer can tighten either value.
Password reset is self-service for users whose knowledge questions were set at enrolment. Click the forgot-password link, answer the knowledge questions, and watch for the reset email that arrives within five minutes. Users who cannot complete the knowledge check ask the client security officer for a manual reset. Password-manager users should store both the password and the knowledge-question answers, because the reset flow is blocked without them.
Browser issues tend to trace to three causes: stale cache, clock drift on the second-factor device, or an IP-allow-list mismatch when signing in from a new network. The US consumer-protection regulator the Federal Trade Commission publishes general guidance on secure sign-in practices for US readers; the underlying principles — fresh codes, clean cache, trusted device — apply equally to ScotiaConnect.
Check that the device clock is accurate — soft-token codes rely on time synchronization with the ScotiaConnect server. If the clock is correct, request a new code rather than retrying the failed one, since a used code is invalid even if it is still on screen.
After three failed codes the user ID locks and the security officer must reset it. The lock is a deliberate control; do not keep trying after the third failure.
Current versions of Chrome, Edge, Firefox and Safari on Windows and macOS are supported. Older browsers that cannot negotiate TLS 1.2 or above are refused at the transport layer and never reach the sign-in form.
Mobile-browser sign-in is not recommended for payment origination. The dedicated ScotiaConnect mobile app is the supported mobile path for balance review, payment approval and positive-pay decisions.
No. The mobile app is scoped to balance review, payment approval and positive-pay decisions. Payment initiation remains desktop-first, especially for high-value batches that require dual approval and structured file import. This is a deliberate control choice.
Biometric unlock and device binding on the mobile app make it a comfortable daily tool for approvers. Originators still spend the majority of their ScotiaConnect time on the desktop.
Users click the forgot-password link on the ScotiaConnect sign-in page and answer the knowledge questions set during enrolment. The portal then emails a reset link valid for fifteen minutes. Users who cannot complete the knowledge check contact the client security officer for a manual reset.
Password-manager users should store both the password and the knowledge-question answers, because without the answers the self-service reset path is blocked.
Confirm the IP-allow-list does not exclude the current network, clear browser cache, verify the device clock for the second factor, and check that the account is not locked after failed attempts. If all four checks pass and access is still blocked, the security officer can review the audit log to diagnose the root cause.
Persistent blocks that are not resolved by these checks often trace to a stale device binding after a phone replacement or a hardware-token battery failure. Both require the security officer to re-issue the binding.
“We used this ScotiaConnect walkthrough as the one-pager for new hires in payroll ops. The six-step sequence and the fallback column on the table cut our new-hire sign-in time in half, and every new user cleared the seventy-two-hour activation window on the first try.”
— Xiao-Ming R. FengPayroll Operations Lead, Birchpoint Medical Supplies