Make your GoCardless account more secure in 1 minute or less with two-factor authentication

Having a strong password is still one of the best ways to make sure your account is secure.  But should 60-year-old technology really be the only measure you have against attack on your data? In short, probably not. 

There are, of course, a few password best practices that have a big impact on security:

1. Choose passwords that are at least 12 characters or more 

2. Use a mix of upper- and lower-case letters 

3. Include numbers and special characters (@, £,$, *, etc.) 

4. Don’t reuse passwords

But while strong passwords are great means of protection, they remain vulnerable to attack because the sign-in process is dependent on just one security factor. That means that if a fraudster got a hold of your password, there’s nothing stopping them from accessing your customer’s data. 

Oddly, it seems users are aware of the risks but are reluctant to do anything about them. Nine in ten people understand the risks associated with poor password practices -- like password reuse. Nevertheless, 60% of people still reuse passwords on multiple accounts. 

This is where two-factor authentication (2FA) becomes a key ingredient in adding an additional layer of security to your account. 

What is 2FA? 

2FA increases security to your account, usually in the form of an additional and separate technical device (mobile phone or laptop) required for login. This means that if someone somehow gets a hold of your password they still won’t be able to access your account without the 2nd layer of security. 

2FA, also sometimes referred to as two-step authentication or multi-factor authentication (MFA), is usually done through your smartphone either in the form of an SMS or an authenticator app, each of which generate single-use codes required for sign-in. See screenshot example here of Google Authenticator (Android/iOS).

2FA is a basic security requirement for you to protect you and your customers, and the ICO recommends you use 2FA where it is available as part of meeting your obligations under GDPR.

Why should you care?

Business email compromise (BEC) has long been among the most common types of fraud on the Internet. Between 2016 and 2019, the FBI estimates that over $26bn was lost to scams and fraud deriving from BEC. In that same timeframe, there were an estimated 55,000 reported incidents per year. 

In May of 2020 trading firm Vicu Financial, lost over $6.9m after hackers successfully completed two fraudulent wire transfers using a stolen email address. 

The data of your customers is also at stake. This October, the ICO fined British Airways over £20 million for not properly protecting the personal and financial information of 400,000 customers. 

But it’s not just large organisations who should be careful, French auto insurer Active Assurances was fined €180,000 in 2019 for insufficient data protection measures. 

2FA is one of the easiest and quickest ways a business can better protect itself against data theft and fraud. Nevertheless, it’s been reported that only 26% of US businesses are using 2FA or another form of multi-factor authentication. 

We want to change that.

How do I protect myself?

First the good news. Setting up 2FA with GoCardless is super easy and takes a matter of minutes. 

Even better news, Microsoft estimates that this simple act can help protect you against 99.9% of account compromise attacks. 

Set-up 2FA directly on your GoCardless dashboard simply by flipping a switch. 

You can then choose whether to receive your 2FA security code via SMS or on an authenticator app like Google Authenticator, or Authy. 

Once enabled, we will automatically send you a single-use code that you can use to securely sign-in.  It sounds inconvenient -- but it should take less time than it took you to finish reading this sentence. 

Check out our step-by-step instructions here.

Still not sure what 2FA is, or have more questions? Check out our security and protection FAQs here.