This article explains what two-factor authentication (2FA) is, how it works on your Airwallex account, how it is set up and whether it can be altered or turned off.
What is Two-factor authentication (2FA)?
Two-factor authentication (2FA) is an extra layer of security used to protect the safety of your online account and cards. It ensures that people trying to access an online account or making a card transaction are who they say they are.
To begin with, a user will enter their username and password as the first factor. Then, instead of immediately gaining access, they will be required to provide an authentication code generated by the device they physically possess as the second factor.
Airwallex supports 2 primary methods to generate authentication codes:
- Text Message (SMS)
- Authenticator App
With 2FA, a potential compromise of only your login details will not unlock the account so your account and cards are more secure.
Two-factor authentication on your Airwallex account
1. How can I enable 2FA for my account?
2FA is mandatory for every user once the account becomes active and cannot be turned off. All users are required to set up 2FA the first time they log into Airwallex.
2. How do I set up my 2FA?
You can set up your 2FA by following the instructions on the setup pages.
- If you are new to Airwallex, you can start the 2FA setup at your first login
- If you are an existing customer, you can manage your 2FA at User profile > Security > Two-factor authentication
3. Which authenticator should I use?
SMS and Authenticator app are available as 2FA method. The use of both authenticators is for free*.
For authenticator apps, we recommend the following:
- Google Authenticator
- Symantec VIP
Both authenticator apps can be easily installed on your phone. Once set up, they are accessible even without cellular signal or an internet connection.
* Your carrier may charge for SMS messages or mobile data
4. Can I set up multiple 2FA methods?
You are required to set up at least one 2FA method, but you can set up additional 2FA methods at User profile > Security > Two-factor authentication so that you can log in even if one 2FA method is not available. Once multiple 2FA methods are set up, you can use a different 2FA method by clicking on the “Choose a different method” button.
5. What are the Recovery codes?
In the event that you cannot receive the text message code or access your authenticator app, you can use one of the 10 recovery codes for the 2FA verification. Each recovery code is valid for one-time use only. Recovery codes can only be used to log in and set up or edit your 2FA method.
The first 10 recovery codes will be generated once your 2FA is set up successfully. From here you can:
- Print your recovery codes and store them in a safe place
- Re-generate 10 new recovery codes in User profile > Security > Two-factor authentication > Generate recovery codes. This will deactivate your old codes.
6. Have trouble logging in with 2FA?
If you cannot use the SMS code or the authenticator app to log in, one of the 10 recovery codes can be used for the 2FA verification.
If you don't have your recovery codes, please reach your Account Manager or our Customer Support team for help. After our team has your details verified, your 2FA will be reset. (Please note: You cannot reset your 2FA by Email or SMS)
7. Can I deactivate my 2FA or skip 2FA setup?
At Airwallex, the security of your accounts is a top priority. 2FA is required and cannot be deactivated.
8. Can I choose to have my browser remembered so that I don't have to keep doing 2FA every time I login?
If you're using Webapp, then yes, you can! Simply check the box to have your browser remembered for 48 hours.
For certain jurisdictions “Remember this browser for 48 hours” is not available. If you're using the iOS or Android app, unfortunately this feature is not available yet.
9. Can I reset my own 2FA?
Yes, you can reset/ edit the 2FA by yourself if you are logged in under User Profile > Security > 2FA authentication method > Edit.
Two-factor authentication on your card payments
Airwallex also supports 2FA on card transactions, also known as 3D Secure, or 3DS.
1. What is 3DS?
3DS is a security protocol used by merchants and issuers worldwide as an extra layer of security to ensure a purchase is from the rightful owner of the card.
The additional 3DS step typically will prompt the shopper at the checkout step to enter a verification code sent to their mobile or email. The prompt will present itself with card networks’ brand names, like Visa secure and the card issuer’s logo.
Example of 3DS flow:
- The cardholder enters their card details
- Airwallex will assess the request and decide if additional 3DS authentication by the cardholder is required at this step
- If required, you'll be asked to complete the additional authentication step
- Enter the OTP in the corresponding box and complete the authentication step
2. How is 3DS affecting you as an Airwallex customer?
As an Airwallex cardholder, you may be prompted to input a verification code for certain types of online payments before you can complete the checkout process on the merchant website. You'll have the option to receive the code via your email or phone number on file with Airwallex.
3DS is only used for online transactions, and only if the merchant supports it too. When a 3DS authentication request is triggered by the merchant, Airwallex will send you the verification code based on your chosen method (email or SMS).
To ensure a smooth transaction experience, we recommend keeping your mobile and email address with us up-to-date. This will help us contact you correctly if authentication is required.
For UK & EEA based cardholders:
The Strong Customer Authentication (SCA) regulation (a new set of standards proposed under PSD2 by the European Banking Authority in order to enhance security of payment service across the EU) in the European Economic Area (EEA) and the UK mandates the use of 3D Secure (3DS) for online card payments. 3DS can be optional in other parts of the world but can still be used as a tool to help reduce fraud.
In order to comply with the SCA requirements, any cardholders must have a mobile on file with Airwallex before creating or using EEA/UK cards.
In other regions, cardholders can have either email or mobile on file to enroll in 3DS.