Investing term

What is Two-factor authentication?

Requiring a second form of verification beyond your password to log in.

Two-factor authentication (2FA) requires a second proof of identity beyond your password — typically a code from an authenticator app or your device — to log in. Even if someone steals or guesses your password, they still can't get in without the second factor, so a stolen password alone becomes useless.

That dramatically reduces the chance of account takeover, which is why it's one of the simplest, highest-value protections for any account holding your money. Not all 2FA is equal: an authenticator app or a hardware key is more secure than SMS codes, which can be intercepted or stolen through SIM-swap attacks. For an investment account, enabling 2FA — ideally via an app rather than text message — is a quick step that closes off the most common way accounts are compromised.

A stolen password isn't enough
A stolen password alone isn't enoughPasswordstolen — but not enough+App codeonly you have itAccess grantedPrefer an authenticator app over SMS, which SIM-swaps can defeat.

Two-factor authentication demands a second code beyond your password, so a leaked password alone can't get in. Prefer an authenticator app over SMS, which SIM-swap attacks can defeat.

For example

A thief who phishes your password still can't log in, because your broker also demands a one-time code from your authenticator app that only you have.

Learn it by doing

That's Two-factor authentication in theory — it clicks when you use it. Practise it hands-on in a free, interactive lesson (Stage 9, Fees, Scams & Protecting Your Money).

Try the free lesson →

Why it matters to you

Two-factor authentication matters because passwords alone are routinely stolen through phishing, breaches, and reuse — and 2FA makes a stolen password insufficient on its own. For accounts holding your investments, that extra layer is the difference between a leaked password being a minor annoyance and a full account takeover. It's a one-time setup that neutralises the single most common attack, which is why enabling it (preferably app-based) is near the top of any security checklist.

Relying on SMS-based 2FA

SMS codes are better than no 2FA, but they can be intercepted or stolen through SIM-swap attacks, where a fraudster takes over your phone number. For a valuable account, an authenticator app or hardware key is meaningfully more secure than text-message codes. Where possible, choose app-based 2FA over SMS, and never read out a code to anyone who contacts you.

Frequently asked questions

What is two-factor authentication?

Two-factor authentication (2FA) requires a second proof of identity beyond your password to log in — usually a one-time code from an app or device. Because a stolen password alone is then not enough to access the account, 2FA sharply reduces the risk of account takeover.

Why should I enable 2FA on my investment account?

Because passwords are frequently stolen through phishing and data breaches, and 2FA makes a stolen password insufficient by itself. For an account holding your money, that extra layer is the difference between a leaked password being a minor issue and a full takeover. It's a quick, high-value protection.

Is app-based 2FA better than SMS?

Generally yes. SMS codes can be intercepted or stolen via SIM-swap attacks, where someone hijacks your phone number. An authenticator app or a hardware security key isn't vulnerable in the same way, so it's more secure. Where a service offers a choice, app-based or hardware 2FA is preferable to text-message codes.

Related terms

← Back to the full glossary