Security is always top of mind at Dwolla, and it’s something we’ll never stop improving and iterating upon. While Dwolla has always required multiple elements for user sessions, such as email address, password and PIN, we’ve continued to work toward empowering our users with additional security measures.
How do I enable two-factor authentication?
Visit your account settings page within the Dwolla dashboard. You can navigate to this page by clicking on your avatar in the top right hand corner of your dashboard. From your account settings page, choose Security from the menu on the left.
You’ll notice the option to enable 2FA on your account security page. Choose to enable and re-enter your password.
When enabling 2FA, you will need to download and open an authenticator app, such as: Google Authenticator (iOS, Android), Duo Mobile (iOS, Android), Amazon Virtual MFA, or Authenticator (Windows Phone).
Open your authenticator app of choice, and manually enter the key code or scan the QR code you’ll see on your Dwolla dashboard to generate a six-digit security code within the app.
Next time you login to your Dwolla account from any device, you will be prompted to supply a six-digit security code from your authenticator app after you enter your email and password.
You can choose to supply this code every time you log in from that device or every 30 days.
Why is two-factor authentication important?
Two-factor authentication helps protect your Dwolla account from the loss of credentials (e.g., your password being stolen). With 2FA enabled, a valid session requires something you know (your userID/Password) and something you have (your 2FA Time-based One Time Password). In short, it helps prevent online identity theft as a victim’s password is not enough for a fraudster to compromise an account.
Why use an authenticator app?
Dwolla chose Time-based One Time Password (TOTP) as our method of two-factor authentication given customer feedback and the high security level provided via the TOTP protocol. TOTP is also extremely strong as no transmission of the passcode is ever made as opposed to SMS (text) which, although unlikely, may be intercepted.