What is two-factor authentication?
How does two-factor authentication work?
With two-factor authentication, you have to prove your identity in 2 different ways to access your online accounts.
These are commonly:
-
Something you knowThis is typically your password
-
Something you haveThis refers to an item you possess, such as a one-time passcode
-
Something you areThis involves biometric information unique to you, like a fingerprint, facial recognition, or voiceprint
What are the benefits of two-factor authentication?
Using 2FA greatly improves the security of your accounts. Even if a criminal manages to get your password, they won't be able to access your account without the second factor.
What is a one-time passcode?
A one-time passcode (OTP) is a temporary 6-digit code which is used to confirm a specific transaction or logon session. It will expire after a certain amount of time.
There are different ways you can get one-time passcodes. Common examples include:
-
Text messageA code is sent to your mobile phone as a text message (SMS). When shopping online, you may be asked to confirm a one-time passcode sent as a text message
-
EmailSimilar to a text message, but the code is sent to your email address
-
Hardware tokenA code is generated using a physical device which displays a new code every few seconds. If you have a physical Secure Key with HSBC, this is what you will use to log on to online or mobile banking
-
Software tokenA code is generated using a mobile device. If you use the HSBC Mobile Banking app, you may generate a code to log on to online banking or authorise transactions
HSBC will never ask you to share a code generated from your Secure Key or mobile phone, find out more about the HSBC Secure Key.
One-time passcode scams
Here are the common ways that fraudsters might try to get you to divulge a one-time passcode.
Text messages or email
When you buy something online with your debit or credit card, you may be asked to confirm the payment so that we can check it’s really you and not a fraudster.
We do this by sending a 6-digit passcode to your mobile number or email address, so you can prove it’s you.
Fraudsters might aim to trick you into sharing these codes.
They will call and pretend to be from your bank. They may tell you that they’ve detected a suspicious card transaction and ask if you authorised it. When you say you haven’t, the fraudster will offer to stop it for you.
The fraudster will ask you to share the one-time passcode with them.
If you hand over that code, they’ll be able to use it for their fraudulent card transactions.
One-time passcodes should only be used by you and never shared.
If you've received a text message that looks like it may have come from HSBC, you can check that is really did come from us.
Token activation fraud
Fraudsters might also try to trick you into handing over the activation code for your HSBC Secure Key.
Explore: How to avoid token activation fraud
QR codes
We may send you a QR code instead of a one-time passcode. A QR code is a 2D square barcode that can be scanned to quickly access sensitive information or website links.
However, QR code fraud is a growing scam in the UK, where criminals try to trick you into sending a screenshot of your QR code to gain access to your personal data or accounts.
To keep yourself safe, never take a screenshot of your QR code and share it with anyone. Scammers may pretend to be from your bank, the police, or another trusted organisation.
Remember: we would never ask you to send us a screenshot of your QR code. If anyone does ask you to, then it’s a scam.
How to stay safe from scams
Never share:
-
One-time passcodes received by text message or email
-
Codes generated by your HSBC Secure Key
-
Passwords or logon details
-
Activation codes
If someone contacts you and asks you to share any of these codes, don’t. Hang up the phone and don’t respond to any emails or texts.
If you unexpectedly receive a one-time passcode, it may mean a fraudster is trying to use your card. Contact us straight away using the number on the back of your card.
Find out more about how to protect yourself against fraud.
