Top of main content

What is two-factor authentication?

Two-factor authentication (2FA) adds an extra layer of protection to your digital information.

How does two-factor authentication work?
What are the benefits of two-factor authentication?
What is a one-time passcode?
One-time passcode scams
How to stay safe from scams

How does two-factor authentication work?

With two-factor authentication, you have to prove your identity in 2 different ways to access your online accounts.

These are commonly:

  • Something you know
    This is typically your password
  • Something you have
    This refers to an item you possess, such as a one-time passcode
  • Something you are
    This involves biometric information unique to you, like a fingerprint, facial recognition, or voiceprint

What are the benefits of two-factor authentication?

Using 2FA greatly improves the security of your accounts. Even if a criminal manages to get your password, they won't be able to access your account without the second factor. 

What is a one-time passcode?

A one-time passcode (OTP) is a temporary 6-digit code which is used to confirm a specific transaction or logon session. It will expire after a certain amount of time.

There are different ways you can get one-time passcodes. Common examples include:

  • Text message
    A code is sent to your mobile phone as a text message (SMS). When shopping online, you may be asked to confirm a one-time passcode sent as a text message
  • Email
    Similar to a text message, but the code is sent to your email address
  • Hardware token
    A code is generated using a physical device which displays a new code every few seconds. If you have a physical Secure Key with HSBC, this is what you will use to log on to online or mobile banking
  • Software token
    A code is generated using a mobile device. If you use the HSBC Mobile Banking app, you may generate a code to log on to online banking or authorise transactions

HSBC will never ask you to share a code generated from your Secure Key or mobile phone, find out more about the HSBC Secure Key.

One-time passcode scams

Top tip: never share a one-time passcode with anyone, including HSBC

Here are the common ways that fraudsters might try to get you to divulge a one-time passcode.

Text messages or email

When you buy something online with your debit or credit card, you may be asked to confirm the payment so that we can check it’s really you and not a fraudster.

We do this by sending a 6-digit passcode to your mobile number or email address, so you can prove it’s you.

Fraudsters might aim to trick you into sharing these codes.

They will call and pretend to be from your bank. They may tell you that they’ve detected a suspicious card transaction and ask if you authorised it. When you say you haven’t, the fraudster will offer to stop it for you. 

The fraudster will ask you to share the one-time passcode with them.

If you hand over that code, they’ll be able to use it for their fraudulent card transactions.

One-time passcodes should only be used by you and never shared.

If you've received a text message that looks like it may have come from HSBC, you can check that is really did come from us.

Token activation fraud

Fraudsters might also try to trick you into handing over the activation code for your HSBC Secure Key. 

Explore: How to avoid token activation fraud

How to stay safe from scams

Never share:

  • One-time passcodes received by text message or email
  • Codes generated by your HSBC Secure Key
  • Passwords or logon details
  • Activation codes

If someone contacts you and asks you to share any of these codes, don’t. Hang up the phone and don’t respond to any emails or texts.

If you unexpectedly receive a one-time passcode, it may mean a fraudster is trying to use your card. Contact us straight away using the number on the back of your card.

Find out more about how to protect yourself against fraud.

Back to top  

What next?

Explore more