Two-Factor Authentication (2FA) is a trusted technology that allows financial institutions like us to verify your online identity using 2 distinct factors:
Your password; and
A one-time password (OTP), which is generated by Google Authenticator (mobile app) installed on your mobile device.
If you use two-factor authentication with your OANDA account, you will need to enter the OTP after your password when logging in to your account.
The key objectives of 2FA are to protect your online trading account and information from unauthorised access, and enhance the overall security of our online trading platform.
2FA is not compulsory when trading with us, however, you are strongly encouraged to use 2FA when logging in to your account. If you decide to use 2FA for login, you will be asked to provide both your password and OTP to access our online trading services. Please remember to safeguard your password and OTP, and not disclose them to other parties.
In general, single-factor password authentication is more susceptible to password-based attacks and malware that could result in unauthorised parties compromising and hijacking your online trading accounts. This could also result in the unauthorised disclosure of any personal and trading information that is available in your account, or unlawful activity and fraudulent trades from your online trading account. By choosing not to use 2FA, you could increase your exposure to these risks.
You should observe the following practices to help secure the confidentiality and integrity of your password and OTPs, personal details, and other confidential data. These will help mitigate the risk of unauthorised transactions and fraudulent use of your accounts, and reduce the chance of unlawful parties observing or stealing your access credentials or other security information to get unauthorised access to your online accounts:
(a) Take the following precautions with your password. Passwords should:
Be at least 8 characters of alphanumeric mix;
Not be based on guessable information such as your username, telephone number, birthday, or other personal information;
Be kept confidential and not be divulged to anyone;
Be changed regularly or when there is any suspicion that your online identity has been compromised or impaired; and
Not be the same for different websites, applications, or services, particularly when they are related to different entities.
(b) Do not select the browser option for storing or retaining username and password;
(c) Check the authenticity of our website by comparing the URL and our name in its digital certificate or by observing the indicators provided by an extended validation certificate;
(d) Check that the website address changes from ‘http://’ to ‘https://’ and a security icon that looks like a lock or key appears when authentication and encryption is expected;
(e) Check your account information, balance and transactions frequently and report any discrepancy;
(f) Install anti-virus, anti-spyware and firewall software in your personal computers and mobile devices;
(g) Update any operation system, virus and firewall products with security patches or newer versions on a regular basis;
(h) Remove file and printer sharing on computers, especially when they are connected to the Internet;
(i) Regularly back up critical data;
(j) Consider the use of encryption technology to protect highly sensitive or confidential information;
(k) Log off each and every online session;
(l) Clear browser cache after each and every online session;
(m) Do not install software or run programmes of unknown origin;
(n) Delete junk or chain emails;
(o) Do not open email attachments from strangers;
(p) Do not disclose personal, financial or credit card information to little-known or suspect websites;
(q) Do not use a computer or device that cannot be trusted; and
(r) Do not use public or internet cafe computers to access online services or perform financial transactions.