Two-factor Authentication (T-Key)

2023-06-16 15:54:40

What is T-Key?

T-Key is an enhanced 2FA (two-factor authentication) that improves level of security for you and your account. 2FA is a stronger form of identity validation and authentication as it relies on information known to you and something you possess. This layer of protection provides substantially better security and makes it more difficult for an attacker to access your account.  

The current practice used by financial institutions in Singapore is to require clients to go through an authentication process, which is a combination of two of the following:

  • Something you know (your User ID and Password)

  • Something you possess (such as a text with a code sent to your smartphone or other device, or a smartphone authenticator app)

This is also the same practice adopted by Tiger Brokers (Singapore) Pte. Ltd. ("TBSG"). When a TBSG client who has elected to participate in 2FA wishes to access an online service provided by TBSG, the client is required to enter the password (set by clients themselves) and the One-Time Password ("OTP", generated and accessed through APP "T-Key") for authentication.


What is the purpose of 2FA?

The key objectives of 2FA are to improve the security of client’s login authentication process, protect client’s online trading account and personal information from unauthorized access, and enhance the overall security of online trading systems. TBSG plays a proactive role in protecting our clients. We adopt, follow and update risk mitigating and controlling measures to protect the integrity of client’s account data and transaction details. Should you require assistance, please contact our customer services for more details.


Is 2FA compulsory for trading through TBSG?

2FA is not compulsory for trading through TBSG. Nonetheless, clients are strongly encouraged to use 2FA on their online trading accounts. Clients that elect to use 2FA will be required to provide both their password and OTP to access the online trading services. Clients should exercise due care to safeguard their password and OTP, and not disclose them to other parties.


What if I choose not to use 2FA for trading through TBSG?

Choosing not to use 2FA for the online trading account would increase client's exposure to series of risks. In general, single-factor password authentication is more susceptible to password-based attacks and malware that could result in the compromise and hijacking of online trading accounts by unauthorized parties. This could in turn lead to unauthorized disclosure of client's personal and trading information of or the carrying out of fraudulent trades through client's online trading account.


How can I protect myself if I choose not to use 2FA for online trading through TBSG?

Clients should refer to the following practices to secure the confidentiality and integrity of their password, security tokens, personal details and other confidential data as far as possible. These will help to prevent unauthorized transactions and fraudulent use of their accounts and make sure that no one else would be able to observe or steal their access credentials or other security information:

Clients should:

(a) Take the following precautions as regards their password (“credentials”);

  • Credentials should be at least 8 characters of alphanumeric mix;

  • Credentials should not be based on guessable information such as user-id, personal telephone number, birthday or other personal information;

  • Credentials should be kept confidential and not be divulged to anyone;

  • Credentials should be memorized and not be recorded anywhere;

  • Credentials should be changed regularly or when there is any suspicion that it has been compromised or impaired; and

  • The same credentials should not be used for different websites, applications or services, particularly when they are related to different entities.

(b) Not select the browser option for storing or retaining user name and password;

(c) Check the authenticity of our website by comparing the URL and our name in its digital certificate or by observing the indicators provided by an extended validation certificate;

(d) Check that the website address changes from ‘http://’ to ‘https://’ and a security icon that looks like a lock or key appears when authentication and encryption is expected;

(e) Check your account information, balance and transactions frequently and report any discrepancy;

(f) Install anti-virus, anti-spyware and firewall software in your personal computers and mobile devices;

(g) Update operation system, virus and firewall products with security patches or newer versions on a regular basis;

(h) Remove file and printer sharing in computers, especially when they are connected to the internet;

(i) Make regular backup of critical data;

(j) Consider the use of encryption technology to protect highly sensitive or confidential information;

(k) Log off each and every online session;

(l) Clear browser cache after each and every online session;

(m) Not install software or run programs of unknown origin;

(n) Delete junk or chain emails;

(o) Not open email attachments from strangers;

(p) Not disclose personal, financial or credit card information to little-known or suspicious websites;

(q) Not use a computer or a device which can not be trusted; and

(r) Not use public or internet café computers to access online services or perform financial transactions.