2FA/TOTP — Authentication Using One Time Password
The use of one-time passwords (Time-based One-time Password Algorithm, TOTP) or two-factor authentication (2FA) provides an additional level of security for trading accounts. This technology protects a trading account from unauthorized access even if its login and password are leaked.
If 2FA/TOTP is enabled, users are required to enter a special one-time password every time they connect to their accounts, in addition to standard account login and password (as well as a certificate if the extended authentication is enabled). One-time passwords can be generated by:
- Mobile platforms for iPhone and Android.
- The most popular 2FA applications, including Google Authenticator, Microsoft Authenticator, LastPass Authenticator and Authy. They can be downloaded to a mobile device from the App Store or Google Play.
The ability to use OTPs should be enabled on the trading server. This additional level of security can be optional or mandatory, depending on the specific regulatory or market requirements.
Enabling 2FA/TOTP in the desktop terminal #
To enable the two-factor authentication option, connect to your account in the usual way. Then click "Enable 2FA/TOTP" in the account menu in the "Navigator".
Run the Authenticator app on your mobile device, click "+" to add your account and scan the QR code from the platform. Enter the received code in the "One-Time Password" field and click "Enable 2FA". This will link your account to the generator with a secret key.
A one-time password will be required for each connection to the account. Each OTP is valid for 30 seconds. After that a new one is generated.
How to Enable 2FA/TOTP on iPhone #
Go to the Settings of the mobile platform and select OTP. For security reasons, when you first open this section, you will be required to set a four-digit password. The password must be entered every time you access the password generator.
If you forgot your password to the password generator but still use the same mobile device, reinstall the mobile platform and rebind your account to the generator. If you no longer have access to the mobile device, contact your broker to reset the binding to the password generator. |
In the window that opens, select "Bind to account".
Next, specify the name of the server on which the trading account was opened, the account number and the master password to it. Keep the "Bind" option enabled. Disable it, if you are going to unbind the specified account from the generator and stop using One Time Passwords.
Tapping on the "Bind" button located at the top of the window binds the trading account to the generator. An appropriate message appears after that.
Likewise, you can bind an unlimited number of accounts to the generator.
The One Time Password is displayed at the top of the OTP section. A blue bar below visualizes the password lifetime. Once the password expires, it is no longer valid, and a new password will be generated.
Additional Commands:
- Change Password — change the generator password.
- Synchronize Time — synchronize the time of the mobile device with the reference server. Accuracy requirement is connected with the fact that the OTP is valid for the current time interval, and this time should be the same on the platform and the server side.
How to Enable 2FA/TOTP on Android Based Devices #
Go to the Accounts of your mobile terminal and tap 
. For security reasons, when you first open this section, you will be required to set a four-digit password. The password must be entered every time you access the password generator.
If you forgot your password to the password generator but still use the same mobile device, reinstall the mobile platform and rebind your account to the generator. If you no longer have access to the mobile device, contact your broker to reset the binding to the password generator. |
In the window that opens, select "Bind to account".
Next, specify the name of the server on which the trading account was opened, the account number and the master password to it. The "Bind" should be kept enabled. It must be disabled, if you are going to unbind the specified account from the generator and stop using one-time passwords.
After you tap the "Bind" button located in the upper part of the window, your trading account will be bound to the generator, and an appropriate message will appear.
Likewise, you can bind an unlimited number of accounts to the generator.
The one-time password is displayed at the top of the OTP section. Underneath, a blue bar visualizes the password lifetime. Once the password expires, it is no longer valid, and a new password will be generated.
Additional Commands:
- Change Password — change the generator password.
- Synchronize Time — synchronize the time of the mobile device with the reference server. Accuracy requirement is connected with the fact that the one-time password is bound with the current time interval, and this time should be the same on the trading platform and the server side.
Disabling TOTP/changing password generator #
An account can only be linked to one OTP generator. To switch to another one, first disable OTP. If you use a mobile platform as the password generator, go to the OTP section in it and select "Unbind". If you bound a third party Authenticator using the desktop platform, select "Disable 2FA/TOTP" from the account context menu in the "Navigator". You will need to enter a one-time password generated by the old generator.
If you do not have access to the device with the old password generator (for example, a mobile device is lost), contact your broker to reset the binding.
How to Use 2FA/TOTP on the Platform #
A One Time Password is additionally requested during connection to a bound account from the trading platform:
A one-time password is not requested when connecting to an account in read-only mode (using an investor password). |