Choose the strongest available method
Prefer phishing-resistant MFA (FIDO2/passkeys) or app-based codes over SMS where possible.
| Method | Security Level | Pros | Cons |
|---|---|---|---|
| Hardware Keys | Highest | Phishing-resistant, offline | Can lose device, limited support |
| Authenticator Apps | High | Works offline, widely supported | Phone dependent, can be phished |
| Push Notifications | Medium | Convenient, fast approval | Notification fatigue, can be tricked |
| SMS | Lowest | Universal, no apps needed | SIM swap, interception, delays |
Important: Many security organizations increasingly warn against SMS-only 2FA due to SIM-swap/interception risks. Choose app or hardware where possible.
Setup steps
Turn on 2FA in broker settings
Usually found under "Security" or "Account Settings"
Scan QR code in authenticator app
Google Authenticator, Authy, Microsoft Authenticator, or 1Password
Save backup codes
Print them or store in a password manager—not just screenshots
Add second method (if available)
Hardware key as backup to authenticator app
Test the setup
Log out and log back in to verify it works
Recommended Authenticator Apps
- • Google Authenticator: Simple, reliable
- • Authy: Cloud backup, multi-device
- • Microsoft Authenticator: Push notifications
- • 1Password: Integrated with password manager
- • Bitwarden: Open source option
- • LastPass Authenticator: Backup features
- • Duo Mobile: Enterprise-focused
- • andOTP: Android open source
Recovery planning
Backup Strategies
- • Second device with authenticator app
- • Hardware key as alternate method
- • Printed backup codes in safe place
- • Password manager with 2FA storage
- • Recovery email/phone up to date
What Can Go Wrong
- • Lost or broken phone
- • Authenticator app deleted
- • Hardware key lost/damaged
- • Phone number changed
- • App factory reset without backup
⚠️ Common Mistakes
- • No backup method: Only one way to authenticate
- • Screenshot only: Backup codes saved as photos that can be lost
- • Same device dependency: 2FA and password manager on same phone
- • Ignoring recovery info: Old phone numbers/emails still on file
- • Not testing: Discovering problems only when locked out
Additional Reading
For more information on multi-factor authentication best practices:
💡 Pro Tip
Enable 2FA on your email accounts first—they're often the recovery method for your brokerage accounts. A compromised email can lead to compromised investment accounts even with 2FA enabled.
Frequently Asked Questions
What happens if I lose my phone with the authenticator app?
Use your backup codes or alternate authentication method. If you have neither, you'll need to contact your broker's support with identity verification to regain access.
Should I use the same authenticator app for all accounts?
Yes, it's more convenient and you're less likely to lose access. Just ensure you have proper backups and recovery methods in place for that app.
Is SMS 2FA better than nothing?
Yes, SMS 2FA is still much better than no 2FA at all. But upgrade to app-based or hardware keys when possible, especially for financial accounts.
Can I use the same hardware key for multiple accounts?
Yes, most hardware keys can store credentials for multiple accounts. This is actually convenient and more secure than having separate keys for each account.