Nutmeg uses multi-factor authentication (MFA) to keep your details and your account safe. As new cyber threats evolve, so must our security. With this in mind we are using cutting-edge login verification in the form of MFA to stay several steps ahead of anyone who may try to steal your data, your money or your identity.
So how does it work and, as a Nutmeg customer, do you have to do anything? We’ve answered some commonly asked questions to help take you through everything to do with MFA:
What is multi-factor authentication?
MFA is simply a way of adding extra security to your account. It’s the technical equivalent of being asked additional security questions when you talk to someone at a bank, either in person or over the phone. MFA uses different factors that are unique to you as cross references, so you are protected in multiple ways. If a criminal managed to get your password, MFA would be the extra locks that would prevent them from hacking your account.
MFA involves the following factors:
Something only you know (like your password or security questions)
Something only you have (like your smartphone)
Something unique to you (e.g. your fingerprint/iris/facial features)
MFA means that you always authenticate based on a combination of these factors – never relying on just one.
How did MFA start?
MFA is not a new concept. We have all seen action movies when two individuals with separate keys or codes are required to initiate a nuclear protocol. That is a simple yet powerful variation of MFA. It was predominantly used by large organisations such as government departments, when very sensitive data (e.g. medical files or classified government documents) had to be accessed.
Technological advances and the rise of cybercrime have contributed to MFA becoming a mainstream security feature. Nowadays, you might be asked to re-enter your passcode having already used your thumbprint to enter your banking app on your phone, or you may have to enter a code online from a text message that a website has sent you – these are both examples of MFA in common use. Facial recognition is one example of MFA that is also being increasingly used by phone apps and online logins as well as in more physical circumstances such as at border crossings.
Can MFA be compromised?
No one can say that any security system is 100% safe all the time. However, MFA means that even if one aspect of your security is compromised – i.e. your phone is hacked, or your password is stolen – your account and your money still have one layer of protection because the other authorisation locks are still in place. Multiple factors of authorisation mean a multiplication in how hard it is to compromise your account.
How does it work for me as a Nutmeg customer?
To use MFA you will first need to download the Google Authenticator app on your phone. After you login to Nutmeg, navigate to your name in the top right-hand corner and select ‘settings’ from the drop down, then click ‘enable two-step verification’.
You will then be asked to scan the QR code on the screen using the Google Authenticator app (use the ‘+’ sign to add another account if you already use Google Authenticator for verification elsewhere).
Google Authenticator will then show you a 6-digit code (this refreshes every half-minute). Simply type this code into the box on screen in your Nutmeg account to enable MFA.
Now you’re all set. Next time you sign in to your Nutmeg account you’ll be prompted to enter the verification code from the authenticator app.
What about the Nutmeg mobile app?
When signing into the Nutmeg mobile app, you will be asked to enter your email and password followed by the Google Authenticator 6-digit number. You will then be asked to set a 4-digit passcode and whether you wish to use a biometric recognition for future access.
How else are you keeping my account secure?
MFA will continue to be a big part of our security going forward but it is just one of the ways of securing your account. We’re constantly adding new security measures to prevent access from unauthorised third-parties. Some of these we’re happy to talk about, others we have to keep secret for obvious reasons. One thing they do include though is checking IP addresses that are trying to log in to see if they are from a place known as a source of suspicious activity.
We also protect data such as usernames and passwords that are kept with us by making sure they are ‘hashed and salted’. This is essentially protection beyond encryption in that they cannot be de-encrypted. The vast majority of customers will see no impact to their usage but we’re working hard in the background to keep things secure for everyone who invests with us.
What can I do?
Good practice is always to remain vigilant and to not give out your login details or password to anyone. But, to really increase your security, one of the best things you can do is simply use multi-factor authentication.