Top of main content

What is two-factor authentication?

Two-factor authentication (2FA) adds an extra layer of security to your online accounts, making it much harder for fraudsters to gain access to your personal information.

You might also know it as multi-factor authentication (MFA). While 2FA specifically involves 2 forms of verification, MFA includes 2 or more layers of verification.

How does two-factor authentication work?

With 2FA, you must verify your identity in 2 different ways before accessing your account. The factors typically include:

  • Something you know
    This is typically your password or PIN.
  • Something you have
    This refers to an item you possess, such as a one-time passcode (OTP) or a physical device like a Secure Key.
  • Something you are
    This involves biometric information unique to you, like a fingerprint, facial recognition, or voiceprint.

This dual-layered approach makes sure that, even if one factor is compromised, your account remains secure. 

Explore: Help with Mobile Banking PIN or Physical Secure Key

What are the benefits of two-factor authentication?

2FA greatly improves account security. Even if a fraudster gets hold of your password, they can’t access your account without the second factor. This added protection helps safeguard your sensitive information and financial transactions.

What is a one-time passcode?

A one-time passcode (OTP) is a temporary 6-digit code used to verify your identity during a transaction or logon session. OTPs expire after a short period, adding an extra layer of security. 

There are different ways you can get one-time passcodes. Common examples include:

  • Text message
    A code is sent to your mobile phone as a text message (SMS). When shopping online, you may be asked to confirm a one-time passcode sent as a text message
  • Email
    Similar to a text message, but the code is sent to your email address
  • Hardware token
    A code is generated using a physical device which displays a new code every few seconds. If you have a physical Secure Key with HSBC, this is what you will use to log on to online or mobile banking.
  • Software token
    A code is generated using a mobile device. If you use the HSBC Mobile Banking app, you may generate a code to log on to online banking or authorise transactions.
Important: HSBC will never ask you to share an OPT or a code generated by your Secure Key.

One-time passcode scams

Fraudsters often try to trick people into revealing their OTPs. For example, when you make an online purchase, you may receive an OTP to confirm the transaction.

Scammers may then:

  • Call, message, or email you, pretending to be from your bank
  • Claim they’ve detected a suspicious transaction on your account
  • Ask for your OTP, saying it’s needed to ‘stop the transaction’ or ‘prevent fraud’
Remember: one-time passcodes are for your use only and should never be shared with anyone.

 If you’ve received a text message that appears to be from HSBC, you can check if it genuinely came from us.

Explore: Confirming online card payments

QR codes

In some cases, we may send you a QR code instead of an OTP.

A QR code is a 2D barcode that can be scanned to access secure information or links. 

We would never ask you to send us a screenshot of your QR code. If anyone does ask you to, then it’s a scam. 

Beware of token activation fraud

As online banking security strengthens, fraudsters are finding new ways to target individuals directly. One method is token activation fraud.

What is token activation fraud?

Token activation fraud is where scammers trick you into revealing your Secure Key activation code. 

Scammers often go to great lengths to seem genuine. For example, they might call you, pretending to be from your bank, and ask if you’ve authorised a payment. When you say ‘no,’ they’ll act understanding and offer to ‘stop the payment’ on your behalf.

To gain your trust, the fraudster will emphasise that they’ll never ask for your PIN or password. However, they’ll ask that you generate a code from your Secure Key. 

How to prevent token activation fraud

HSBC will never ask for the token generated by your Secure Key or mobile phone. These tokens are only used to:

  • Access online banking
  • Authorise transactions

They’re not needed to stop or block payments, and our fraud teams will never ask for them. You should never share these tokens with anyone.

If anyone contacts you requesting your Secure Key activation code or other login details:

  • Do not share them
  • Hang up the phone immediately and contact us to report it
  • Ignore suspicious texts and don’t click on any links
  • Report the text message to your mobile operator by forwarding the message to 7726, free of charge
  • Contact us using the number on the back of your card if you want to check whether the message was genuine
  • Delete the message

If you’re ever unsure about a call from someone claiming to be your bank, hang up and call back using a number you know is genuine.

See our fraud prevention guide for more tips on staying safe.

This article was last updated: 07/05/2026, 07:09

  Back to top of the page

What next?

Explore more