Article hero image

Hooray! Wealthsimple Has Two-Step Verification! (What Does That Mean?)

Wealthsimple makes powerful financial tools to help you grow and manage your money. Learn more

This is the latest installment of our “Ask Wealthsimple” series. Today, our resident security geniuses help you navigate the world of security.

Get the best stories from our magazine every month

Sign up for our email newsletter

Some people call it two-factor authentication. Or 2FA if you're a security buff. We call it two-step verification because that's what it is and it sounds better! And yes, it's now part of our gold-standard security apparatus at Wealthsimple! All you have to do is turn it on when you're on the app or desktop.

To commemorate the moment, and go kind of deep on what it is and why it matters and share some thoughts about security and your money in general, we wrangled the two most security-minded people at Wealthsimple: Lee Brotherston, Director of Security, and Justin Bull, one of the engineers whose job is building security infrastructure and monitoring outside threats. And we got them to teach us just enough to feel like we're experts, but not so much that we got completely confused.

Congratulations on launching two-step verification for Wealthsimple!

Lee Brotherston: We're pretty excited. Honestly.

Well, you guys are tech security guys. I'm sure it's like how my kids would feel if they got their own bouncy castle. So, to get down to it, I've heard the term

Lee: Look, I know it’s not the sexiest topic.

Justin Bull: Two-step verification is going to help you protect your account, and all the money you have in it. I happen to think enhancing the security of your money is pretty sexy.

So, of course I understand all this stuff

Lee: We want to know that it's really you trying to log into your account. Two-step verification means that you have two different means of proving that it’s you, and not some hacker or scorned ex-roommate. With me so far? Good.

OK, so you have a password for your computer and a code that unlocks your phone, right? That's one step of security. If you want to be secure, you need something more.

Recommended for you

  • Our Four Step Plan to Investing in a Crappy Market

    Finance for Humans

  • The Perfect Guide to Every Annoying Tax Question You Have

    Finance for Humans

  • Wealthsimple Explains: The Market Crashed! Should I Buy the Dip?

    Finance for Humans

  • Why Most Eco-Friendly Investment Funds Really Aren’t That Eco-Friendly

    Finance for Humans

That second factor could be lots of things. It's not common, but it could even be something biometric, like a fingerprint or an iris scan. Far more common — in fact, probably the most common — is what's called a verification code. It's a string of digits. Sometimes you can access the code from an app like Authy or Google Authenticator (Android and iOS). Sometimes it's a text message with a code that expires a minute later.

Justin: You should check out the definition from Sideways Dictionary — a fun dictionary that makes tech sound ... less tech-y. They use analogies to define abstract tech terms, and they have a great analogy for two-step verification: the debit card. Think of your password as the "card," and your verification code (we'll explain what that is in a minute) as the PIN. Except that a verification code is way more secure than a PIN, because it changes every minute. So unlike a PIN, even if someone peeped over your shoulder and saw your code, they'd still be locked out if they tried to use the same code later.

Two steps are far more secure — exponentially more secure, not just twice as secure — as just your password.

Is it hard to use? How do I use it?

Justin: All you need to do is turn it on when you log in to your Wealthsimple account. Just follow the super-short setup process on the Settings page of your account. It's under “Passwords and Security.”

Wait, you didn't install this because you got hacked and some poor soul lost every dime in his Wealthsimple account did you? Please say no.

Lee: No! We have not had a single incident. We’re undertaking this to prevent an incident from occurring.

Justin: We brought Lee to Wealthsimple last spring as the director of the security team. And two-step verification was the first thing on our plate. As a new team, this was our first priority.

Are there any other benefits to two-step verification?

Lee: Yes. It's important to remember, this is less about making Wealthsimple hard to hack into, and more about making you hard to hack into.

People re-use passwords, so these breaches are getting more and more common, because people's credentials are being stolen from one site and used to access others. So adding this extra layer should prevent this from being a problem in the future.

Personally, I think the real problem is some people just can’t pick passwords. Buzzybear72 has been my fail-safe on every site I use for years. It's on Netflix, all the usernames for my

Lee: There are a few different problems with Fuzzybear72.


Lee: Okay, apologies. But I’m sorry to say it’s still problematic. First, if you use that all over the place, congratulations, maybe you've been lucky so far. But companies like Yahoo, Snapchat, and Dropbox have all had hacks in the last three years. When people steal the info, those user credentials get dumped somewhere. Once someone knows Buzzybear72 they can start plugging it into all your other sites and log in as you.

Remember this, always. Your password is only as safe as the least secure website it's on.

It seems like passwords are a problem. Are they a problem?

Justin: Yes. The way people use passwords today is highly flawed. It makes sense in a way — people just can't remember a unique password for every service. You're probably not going to make a password that's 48 characters long with brackets and exclamation marks and weird-looking things that make hard-to-crack passwords.

Lee: That's not the only way they can get your password. Have you ever heard of brute-forcing? It's a technique commonly used by hackers — they fire off thousands of different password options over just a few minutes, hoping they'll get the right one. Simple passwords are easier to brute-force. If you can remember it, it’s going to be easy to crack by an attacker.

We encourage everyone to use a password manager like 1Password or LastPass. A lot of people don't listen to our advice, and two-step verification is a fail-safe if someone gets your password. But it's still better to be safe two ways instead of one.

So this “verification code” — how do I know what it is if it keeps changing? Where do I get it?

Lee: Remember: the code is just a way to make sure whoever logs in has one of the physical devices you trust. So we send you a code to one of two ways.

The first option is text message. Buckle up here for a little bit of an explainer. With the text service, only our server knows the right digit combination for your account for that minute in time, which we text to you. Text messages are relatively unsecure in and of themselves. But to use the number, a hacker would need to get your email and password and text messages, and then they'd need to input all that within the same minute you tried to access it.


Wealthsimple is a new kind of financial company

Invest, trade, save, spend, and even do your taxes in a better, simpler way.

inline cta

The second method is more secure, and that's to use an app on your phone — like we mentioned earlier, something like Google Authenticator or Authy. The app stores all the changing codes for each site for which you have two-step verification set up. Using fancy math and cryptographic magic, the generator in your app is able to tell you the same verification code that the server is looking for in that particular minute.

Okay smart guy — what if a hacker steals my phone that’s receiving all those authentication codes?

Lee: First things first. If your account is compromised, or could be compromised, the first thing to do is change your password. In Wealthsimple, this additionally forces all devices to log out of your account.

Meanwhile, if someone has your phone, you have to have trusted the person enough to give it to them or they have to have stolen it. It's a good reason to make sure your phone has thumbprint access and locks itself when you're not using it. If they steal it, odds are you know that it's been stolen and you can have that device's access revoked. When you sign up for Wealthsimple two-step verification, you get a one-time-use recovery code. Write it down somewhere and keep it safe! If a device gets lost or stolen, you can use the code to disable two-step verification. You'll have a clean start — just like changing the lock on your home after a break-in. Then turn two-step verification on again. (If you get confused along the way, we can always help you here.)

Justin: But that's incredibly uncommon. By far the most common way people get hacked is by someone somewhere far away from you and your phone. And two-step verification will protect you from that.

Is this going to make things more difficult? I'm sure my peace of mind is going to make me a tiny bit more miserable.

Lee: First of all, it's your choice. You can turn it on, or not. We believe it's the right thing to do, and a lot of Wealthsimple users have let us know they're very interested in it. But it's not being forced on anyone.

Justin: And you have more options when it comes to how you want to use two-step verification. You can choose to enter the verification code every single time you wish to login. That can get cumbersome, but it provides a higher level of security. Alternatively you could choose to have the app or site remember that particular device for thirty days. That is you letting us know that, for you, a password alone is good enough so long as you're using that exact same phone or computer. And when that 30 days is up, you will verify your device again.

Lee: It's not so hard. And well worth it.

Wealthsimple makes smart investing simple and affordable.

Wealthsimple uses technology and smart, friendly humans to help you grow and manage your money. Invest, save, trade, and even do your taxes in a better, simpler way.

Money Diaries


Margaret Atwood


Get the best stories from our magazine every month

Sign up for our email newsletter

  • Finance for Humans

    Ask Lizzie: I Want Another Baby. My Husband Wants to Build a Dream House. Help!

    This week, our columnist wades into the messy business of balancing savings goals with having kids, and how to compromise when you disagree about… big things.

  • Finance for Humans

    Oh Wait, Do I Need to Pay Taxes on My Stock Trades? A Guide

    Are you new to trading? Well, surprise! You have to pay taxes on all the stocks you sold last year. How nervous should you be about that? Not very — if you do a few simple things.


    A new kind of financial company

    Invest, trade, save, spend, and even do your taxes in a better, simpler way.

    see-more cta
  • Finance for Humans

    A Freelancer’s Guide to Saving Like a Corporate Lifer

    Self-employment comes with a lot of perks, mostly involving not having a boss. The tradeoff? No savings or retirement benefits. Womp womp. That means freelancers need to create their own savings strategy. Here’s how.

  • Finance for Humans

    You Don’t Have to Pay Taxes on Crypto! And Other NOT TRUE Tax Myths

    Social media is great for doom scrolling and feeling FOMO. But it’s absolutely lousy if you want credible crypto tax advice in Canada.


A new kind of financial company

Invest, trade, save, spend, and even do your taxes in a better, simpler way.

GET STARTEDright arrow icon

Our best stories, once a month.

Sign up for our newsletter

The content on this site is produced by Wealthsimple Technologies Inc. and is for informational purposes only. The content is not intended to be investment advice or any other kind of professional advice. Before taking any action based on this content you should consult a professional. We do not endorse any third parties referenced on this site. When you invest, your money is at risk and it is possible that you may lose some or all of your investment. Past performance is not a guarantee of future results. Historical returns, hypothetical returns, expected returns and images included in this content are for illustrative purposes only. By using this website, you accept our (Terms of Use) and (Privacy Policy). Copyright 2022 Wealthsimple Technologies Inc.