What is Two-factor authentication (2FA)?
Two-factor authentication (2FA) is an extra layer of security used to protect the safety of your online account and cards. It ensures that people trying to access an online account or making a card transaction are who they say they are.
To begin with, a user will enter their username and password as the first factor. Then, instead of immediately gaining access, they will be required to provide an authentication code generated by the device they physically possess as the second factor.
Airwallex supports 2 primary methods to generate authentication codes:
- Text Message (SMS) One-Time-Password (OTP)
- Mobile Authenticator App
With 2FA, a potential compromise of only your login details will not unlock the account so your account and cards are more secure.
Two-factor authentication on your Airwallex account
1. How can I enable 2FA for my account?
Account owners and admins (or any user with edit permission for settings) can enable Account-wide two-factor authentication in Settings > Security. To change settings it is required for the user to set up 2FA first.
All users using this account will be asked to set up 2FA the next time they next log in. For certain jurisdictions 2FA is mandatory for every user and cannot be turned off.
2. How do I set up my 2FA?
You can set up your 2FA by following the instructions on the setup pages.
- If you are new to Airwallex, you can start the 2FA setup at your first login
- If you are an existing customer, you can set up your 2FA at User profile > Security > Two-factor authentication
3. Which authenticator should I use?
You can set up either an SMS or App based authenticator. The use of both authenticators is for free*.
For authentication apps, we recommend the following:
- Google Authenticator
- Symantec VIP
Both authenticator apps can be easily installed on your phone. Once set up, they are accessible even without an internet connection.
* Your carrier may charge for SMS messages or mobile data
4. What are the Recovery codes?
In the event that you cannot receive the text message code or access your authenticator app, you can use one of the 10 recovery codes for the 2FA verification. Each recovery code is valid for one-time use only.
The first 10 recovery codes will be generated once your 2FA is set up successfully. From here you can:
- Print your recovery codes and store them in a safe place
- Re-generate 10 new recovery codes in User profile > Security > Two-factor authentication > Recovery codes - show > Generate new recovery codes. This will deactivate your old codes.
5. Have trouble logging in with 2FA?
If you cannot use the SMS code or the authenticator app to log in, one of the 10 recovery codes can be used for the 2FA verification.
If you don't have your recovery codes, please reach your Account Manager or our Customer Support team for help. After our team has your details verified, your 2FA will be reset. (Please note: You cannot reset your 2FA by Email or SMS)
6. Can I deactivate my 2FA or skip 2FA setup?
You can deactivate your 2FA if your Account does not force all users to set-up 2FA. You can check and deactivate under User profile > Security > Two-factor authentication.
7. Can I choose to have my device remembered so that I don't have to keep doing 2FA every time I login?
If you're using the WebApp, then yes, you can! Simply check the box to have your device remembered for 48 hours.
If you're using the iOS or Android app, unfortunately this feature is not available yet.
8. Can I reset my own 2FA?
Yes, you can reset/ edit the 2FA by yourself if you are logged in under User Profile > Security > 2FA authentication method > Edit.
Two-factor authentication on your card payments
Airwallex also supports 2FA on card transactions, also known as 3D Secure, or 3DS.
1. What is 3DS?
3DS is a security protocol used by merchants and issuers worldwide as an extra layer of security to ensure a purchase is from the rightful owner of the card.
The additional 3DS step typically will prompt the shopper at the checkout step to enter a verification code sent to their mobile or email. The prompt will present itself with card networks’ brand names, like Visa secure and the card issuer’s logo.
Example of 3DS flow:
- The cardholder enters their card details
- Airwallex will assess the request and decide if additional 3DS authentication by the cardholder is required at this step
- If required, you'll be asked to complete the additional authentication step
- Enter the OTP in the corresponding box and complete the authentication step
2. How is 3DS affecting you as an Airwallex customer?
As an Airwallex cardholder, you may be prompted to input a verification code for certain types of online payments before you can complete the checkout process on the merchant website. You'll have the option to receive the code via your email or phone number on file with Airwallex.
3DS is only used for online transactions, and only if the merchant supports it too. When a 3DS authentication request is triggered by the merchant, Airwallex will send you the verification code based on your chosen method (email or SMS).
To ensure a smooth transaction experience, we recommend keeping your mobile and email address with us up-to-date. This will help us contact you correctly if authentication is required.
For UK & EEA based cardholders:
The Strong Customer Authentication (SCA) regulation (a new set of standards proposed under PSD2 by the European Banking Authority in order to enhance security of payment service across the EU) in the European Economic Area (EEA) and the UK mandates the use of 3D Secure (3DS) for online card payments. 3DS can be optional in other parts of the world but can still be used as a tool to help reduce fraud.
In order to comply with the SCA requirements, any cardholders must have a mobile on file with Airwallex before creating or using EEA/UK cards.
In other regions, cardholders can have either email or mobile on file to enroll in 3DS.