Investing term
What is Two-factor authentication?
Requiring a second form of verification beyond your password to log in.
Two-factor authentication (2FA) requires a second proof of identity beyond your password — typically a code from an authenticator app or your device — to log in. Even if someone steals or guesses your password, they still can't get in without the second factor, so a stolen password alone becomes useless.
That dramatically reduces the chance of account takeover, which is why it's one of the simplest, highest-value protections for any account holding your money. Not all 2FA is equal: an authenticator app or a hardware key is more secure than SMS codes, which can be intercepted or stolen through SIM-swap attacks. For an investment account, enabling 2FA — ideally via an app rather than text message — is a quick step that closes off the most common way accounts are compromised.
Two-factor authentication demands a second code beyond your password, so a leaked password alone can't get in. Prefer an authenticator app over SMS, which SIM-swap attacks can defeat.
For example
A thief who phishes your password still can't log in, because your broker also demands a one-time code from your authenticator app that only you have.
Learn it by doing
That's Two-factor authentication in theory — it clicks when you use it. Practise it hands-on in a free, interactive lesson (Stage 9, Fees, Scams & Protecting Your Money).
Try the free lesson →Why it matters to you
Two-factor authentication matters because passwords alone are routinely stolen through phishing, breaches, and reuse — and 2FA makes a stolen password insufficient on its own. For accounts holding your investments, that extra layer is the difference between a leaked password being a minor annoyance and a full account takeover. It's a one-time setup that neutralises the single most common attack, which is why enabling it (preferably app-based) is near the top of any security checklist.
⚠ Relying on SMS-based 2FA
SMS codes are better than no 2FA, but they can be intercepted or stolen through SIM-swap attacks, where a fraudster takes over your phone number. For a valuable account, an authenticator app or hardware key is meaningfully more secure than text-message codes. Where possible, choose app-based 2FA over SMS, and never read out a code to anyone who contacts you.