Lesson Account profile and security

Mobile Authenticators

Learn more about mobile authenticators and how they can help secure your account.

Security icon

A Mobile Authenticator is a form of multi-factor authentication, and can help provide additional security when accessing your account online.

Authenticators are mobile apps that generate a unique time-based, 6-digit, one-time password (TOTP) that needs to be entered in addition to the standard username and password. 

Questrade now supports mobile authenticators as a layer of additional security for your account.

You can turn them on or off anytime from your Settings page.

We support all of the common authenticator apps including:

  • Google authenticator
  • Microsoft authenticator
  • Twilio Authy
  • LastPass authenticator

You can download an authenticator app from either the Apple app store, or from the Google play store on your mobile device.

Learn more about setting up an authenticator, common log in questions, and more below:

mobile authenticator example GIF

You can set up an authenticator from your Settings page:

1. Log in to your account.

2. Click your profile on the top right-hand navigation menu, then click Settings from the drop-down menu.

accessing settings

3. On the Settings page, hover down to the Security section and click on Edit.

editing 2 step verification

4. Click Set up beside the Authenticator app section.

setting up authenticator app

5. On the next page, you’ll be shown 10 recovery codes, please save these in a secure place.

save your recovery codes

For more information on recovery codes and how they work, please check out the section below.

Once you’ve saved these, click the green Continue button.

6. Once you’re on the next page, please open the authenticator app on your mobile device or phone, and add a new account.

set up your authenticator app

The authenticator app will give you the option to scan a QR code with your device’s camera, or you can enter the 15 character key shown on this page.

Once you scan the code, or enter the characters, your mobile authenticator will provide you with a secret code, please enter this at the bottom, then click Submit.

7. Congratulations, you’ve successfully paired the mobile authenticator on your device with your Questrade account.

Once you’re finished, you’ll see this screen below, and will be taken back to the Settings page.

authenticator ready to use

After you’ve set up your mobile authenticator, a new option will appear during a 2-step verification prompt when logging into your account.

Click the circle next to the Authenticator app option, then click Continue below to continue the log in process.

If you have lost your mobile device, or access to the authenticator app, you can click the blue Use recovery code link to use one of your recovery codes to log in.

Please see the section below for more information on recovery codes.

logging in with authenticator

On the next screen, you will need to enter the secret code from the authenticator app on your mobile device.

enter your code
  1. Open the authenticator app you have linked to your Questrade account.
  2. There will be a 6-digit one-time code shown next to your Questrade account.
  3. Enter the code from the authenticator app on the Questrade website.
    • If you’re logging into Questrade Edge Desktop, the process is the exact same.

This code expires every 30 seconds, please make sure to enter it before then.

Tip: If the code shown in your mobile authenticator is expiring soon, sometimes it’s better to wait until the timer ‘rolls over’.

Congrats! You’ve logged into your account using a mobile authenticator. Check out the sections below for more information about added security, recovery codes and more.

When you log into your Questrade account online, you will be asked to perform a 2-step verification if you’re logging in from an unfamiliar device for the first time, or if unusual network activity is detected.

You also have the option to enable Added security on the Settings page.

2 step verification

Click Manage to modify your added security settings here.

added security options

On this page, you have the option to turn on added security by clicking on the on/off button.

  • If you turn this option on, every time you log into your Questrade account your 2-step verification prompts will appear.
  • If this option is turned off, then 2-step verification prompts will only appear for new devices, or unfamiliar networks.

Enabling or disabling phone/email 2-step verification

On this page, you can also enable, or disable any of your additional verification options. By default, all three will be turned on after you enable your mobile authenticator, but you can also disable SMS or email notifications for additional security.

If you disable SMS or email 2-step notifications, you will only be able to log in using your mobile authenticator app.

If you have disabled SMS and email notifications, and lose access to your phone, you can still access your account using your secret recovery codes. Check out the section below for more details.

Alternatively, you can contact our support team via phone at 1.888.783.7866, or live chat to access your account if you have lost both your mobile device, and your recovery codes.

There are 10 recovery codes generated when setting up your mobile authenticator for the first time. These can be used to access your account if you lose your mobile device, or access to your mobile authenticator app.

save your recovery codes

Please take care to save these recovery codes in a secure location, preferably offline where they cannot easily be accessed. If you must store these codes online, please consider using a secure password manager app or tool.

Remember: If someone has access to your username, password and recovery codes, they can get access to your accounts. Please secure these codes like you would any other sensitive information. (locked filing cabinet, safe, etc..)

After you use a code to log in, that code expires, and will not work in the future. If you have used all five of your recovery codes, you can always generate a new set from the Settings -> Authenticator app page.

create new recovery codes


Once you create a new set of recovery codes, your old recovery codes are replaced, and will not work.

Please make sure to update your recovery codes wherever you have saved them once you generate a new set.

How does an authenticator system work?

Most modern authenticator systems use a combination of HOTP (hash-based) and TOTP (time-based) algorithms to generate unique one-time passwords.

When you first set up your authenticator, Questrade’s servers generate a secret key, (random letter/numbers, also shown as a QR code) and this secret key is shared with the authenticator app on your mobile device.

Once your mobile device and our servers both have a copy of this secret key, when you want to log in and are prompted for a 2-step verification, you will need to prove you have this secret key.

The authenticator app combines the secret key with the current time to produce a secret access code. It does this using something called a ‘secure hash function’, basically mixing the time and your key to generate a unique output that’s impossible to reverse.

Is Authenticator secure? Is my information shared with Google/Microsoft or etc? 

Mobile authenticators are extremely secure, and have been used in the cybersecurity, and gaming industries for over a decade.

When you share the secret code from Questrade’s website with the mobile authenticator of your choice, your information is not shared with, or passed on to any third-party companies. This secret code is only stored on your local mobile device, and no information is visible to the company that has created the app.

Does Questrade Edge Desktop support mobile authenticators?

Yes, when you log into Questrade Edge Desktop, if you are prompted for a 2-step verification code, the mobile authenticator will be the first option available.

What happens if I lose my mobile device?

If you’ve lost your mobile device with the authenticator app installed on it, you can still access your Questrade account using your manual recovery codes.

Alternatively, you can contact our support team via phone at 1.888.783.7866, or live chat to access your account if you have lost both your mobile device, and your recovery codes.

Can I remove my phone or email from my 2-step verification?

Yes, if you’d like, you can disable notifications via email or SMS for 2-step verification. To disable email or SMS notifications, you must first enable mobile authenticator. At least one 2-step verification method is always required.

Please note that by disabling these notification methods, you will only receive your secret login codes using the mobile authenticator app.

If you disable SMS/email notifications, we strongly recommend making sure you have access to your backup recovery codes if needed. If you lose access to your recovery codes and need to gain access to your account you must contact our customer service team by phone or live chat.

Please note, granting access during a lockout if you've lost your recovery codes can take up to 48hrs.

Your email and phone number in your profile still needs to be kept up to date and accurate in case we need to contact you, or in case you lose access to your mobile device, and we need to verify your identity.

If you disable mobile authenticator in the future, this will automatically turn SMS and email notifications back on.

Note: The information in this blog is for educational purposes only and should not be used or construed as financial or investment advice by any individual. Information obtained from third parties is believed to be reliable, but no representations or warranty, expressed or implied, is made by Questrade, Inc., its affiliates or any other person to its accuracy.

Related lessons

Want to dive deeper?

Read next

Explore

Have more questions?

Tell us what you need help with, and we’ll get you in touch with the right specialist.