Wealthsimple makes powerful financial tools to help you grow and manage your money. Learn more
This is the latest installment of our “Ask Wealthsimple” series. Today, our resident security geniuses help you navigate the world of security.
Sign up for our weekly non-boring newsletter about money, markets, and more. Sorry, TLDR is currently available in English only.
Some people call it two-factor authentication. Or 2FA if you're a security buff. We call it two-step verification because that's what it is and it sounds better! And yes, it's part of our gold-standard security apparatus at Wealthsimple!
We wanted to go kind of deep on what it is and why it matters and share some thoughts about security and your money in general. So we wrangled the two most security-minded people at Wealthsimple: Lee Brotherston, Director of Security, and Justin Bull, one of the engineers whose job is building security infrastructure and monitoring outside threats. And we got them to teach us just enough to feel like we're experts, but not so much that we got completely confused.
To get down to it, I've heard the term
Lee Brotherston: Look, I know it’s not the sexiest topic.
Justin Bull: Two-step verification is going to help you protect your account, and all the money you have in it. I happen to think enhancing the security of your money is pretty sexy.
Of course I understand all this stuff
Lee: We want to know that it's really you trying to log into your account. Two-step verification means that you have two different means of proving that it’s you, and not some hacker or scorned ex-roommate. With me so far? Good.
OK, so you have a password for your computer and a code that unlocks your phone, right? That's one step of security. If you want to be secure, you need something more.
Recommended for you
That second factor could be lots of things. It could even be something biometric, like a fingerprint or an iris scan. Far more common — in fact, probably the most common — is what's called a verification code. It's a string of digits. Sometimes you can access the code from an app like Authy or Google Authenticator (Android and iOS). Sometimes it's a text message with a code that expires a minute later.
Justin: Think of your password as the debit card, and your verification code (we'll explain what that is in a minute) as the PIN. Except that a verification code is way more secure than a PIN, because it changes every minute. So unlike a PIN, even if someone peeped over your shoulder and saw your code, they'd still be locked out if they tried to use the same code later.
Two steps are far more secure — exponentially more secure, not just twice as secure — as just your password.
Is it hard to use? How do I use it?
Justin: Just follow the super-short setup process on the Settings page of your account. It's under “Passwords and Security.”
Are there any other benefits to two-step verification?
Lee: Yes. It's important to remember, this is less about making Wealthsimple hard to hack into, and more about making you hard to hack into.
People re-use passwords, so these breaches are getting more and more common, because people's credentials are being stolen from one site and used to access others. So adding this extra layer should prevent this from being a problem in the future.
Personally, I think the real problem is some people just can’t pick passwords. Buzzybear72 has been my fail-safe on every site I use for years — on Netflix, all the usernames for my
Lee: There are a few different problems with Fuzzybear72.
Lee: Okay, apologies. But I’m sorry to say it’s still problematic. First, if you use that all over the place, congratulations, maybe you've been lucky so far. But companies like Yahoo, Snapchat, and Dropbox have all had hacks. When people steal the info, those user credentials get dumped somewhere. Once someone knows Buzzybear72 they can start plugging it into all your other sites and log in as you.
Remember this, always: your password is only as safe as the least secure website it's on.
It seems like passwords are a problem. Are they a problem?
Justin: Yes. The way people use passwords today is highly flawed. It makes sense in a way — people just can't remember a unique password for every service. You're probably not going to make a password that's 48 characters long with brackets and exclamation marks and weird-looking things that make hard-to-crack passwords.
Lee: That's not the only way they can get your password. Have you ever heard of brute-forcing? It's a technique commonly used by hackers — they fire off thousands of different password options over just a few minutes, hoping they'll get the right one. Simple passwords are easier to brute-force. If you can remember it, it’s going to be easy to crack by an attacker.
We encourage everyone to use a password manager for any site they access. That's a good step one. And then two-step verification is a fail-safe if someone still gets your password. It's better to be safe two ways instead of one.
So this “verification code” — how do I know what it is if it keeps changing? Where do I get it?
Lee: Remember: the code is just a way to make sure whoever logs in has one of the physical devices you trust. So we send you a code to one of two ways.
The first option is text message or a phone call. Buckle up here for a little bit of an explainer. With the text or automated phone service, only our server knows the right digit combination for your account for that minute in time, which we text or call you with. To use the number, a hacker would need to get your email and password and text messages (or phone), and then they'd need to input all that within the same minute you tried to access it.
The second method is more secure, and that's to use an app on your phone — like we mentioned earlier, something like Google Authenticator or Authy. The app stores all the changing codes for each site for which you have two-step verification set up. Using fancy math and cryptographic magic, the generator in your app is able to tell you the same verification code that the server is looking for in that particular minute.
Okay smart guy — what if a hacker steals my phone that’s receiving all those authentication codes?
Lee: First things first. If your account is compromised, or could be compromised, the first thing to do is change your password. In Wealthsimple, this additionally forces all devices to log out of your account.
Meanwhile, if someone has your phone, you have to have trusted the person enough to give it to them or they have to have stolen it. If they steal it, odds are you know that it's been stolen and you can have that device's access revoked. When you sign up for Wealthsimple two-step verification, you get a one-time-use recovery code. Write it down somewhere and keep it safe! If a device gets lost or stolen, you can use the code to disable two-step verification. You'll have a clean start — just like changing the lock on your home after a break-in. Then turn two-step verification on again. (If you get confused along the way, we can always help you here.)
Justin: But that's incredibly uncommon. By far the most common way people get hacked is by someone somewhere far away from you and your phone. And two-step verification will protect you from that.
Does two-factor authentication make things more difficult? I'm sure my peace of mind is going to make me a tiny bit more miserable.
Justin: You have options when it comes to how you want to use two-step verification. You can choose to enter the verification code every single time you wish to login. That can get cumbersome, but it provides a higher level of security. Alternatively you could choose to have the app or site remember that particular device for thirty days. That is you letting us know that, for you, a password alone is good enough so long as you're using that exact same phone or computer. And when that 30 days is up, you will verify your device again.
Lee: It's not so hard. And well worth it.
Wealthsimple makes smart investing simple and affordable.
Wealthsimple uses technology and smart, friendly humans to help you grow and manage your money. Invest, save, trade, and even do your taxes in a better, simpler way.