Keeping your InvestEngine account secure with two-factor authentication (2FA)

  • Updated

Two-factor authentication (2FA) adds an extra layer of security to your InvestEngine account. As well as your password, you'll need to verify your identity every time you log in using a second method. This makes it much harder for anyone else to access your account, even if they know your password.

2FA is required to help protect your account and personal information from unauthorised access, and is mandatory for all InvestEngine customers.

How 2FA works

When you log in, you'll be asked to confirm your identity using two of the following three methods. You choose which two you'd like to use when you set up 2FA.

Method How it works Best for
πŸ“± Push notification A notification is sent to your InvestEngine mobile app. Open the app and tap to approve your login. Customers who regularly use the mobile app
πŸ’¬ SMS code A one-time code is sent to your registered mobile number by text message. Enter the code on screen to log in. Customers who prefer not to use the app
πŸ”‘ One-time recovery phrase A unique backup phrase generated when you set up 2FA. Enter it on screen to verify your identity. A new phrase is generated automatically after each use. Backup method if your primary options aren't available (i.e if you lose your phone).

Setting up 2FA

If you haven't set up 2FA yet, you'll receive an email from us prompting you to do so. After your deadline passes, access to your dashboard will be blocked until setup is complete.

Haven’t received your setup email? Check your spam or junk folder.

To set up or update your 2FA at any time:

  1. Log in to InvestEngine
  2. Go to Settings β†’ Login settings β†’ Two-factor authentication
  3. Select your two preferred verification methods
  4. Follow the on-screen instructions to confirm each method
  5. If you choose the recovery phrase: write it down and store it somewhere safe, you'll need it if you ever can't access your other methods

⚠️ Important: Your recovery phrase can only be used once. A new phrase is automatically generated each time you use it. Always make sure you have your latest phrase stored safely.

Logging in with 2FA

Once 2FA is set up, here's what happens each time you log in:

  1. Enter your email address and password as usual
  2. You'll be prompted to verify using your primary method (the first one you selected)
  3. If your primary method isn't available, you can switch to your secondary method, look for the option on screen (e.g. "Use recovery phrase" or "Use SMS instead")
  4. Once verified, you'll be taken to your dashboard

Common scenarios where you might have trouble logging in

Below are the most common situations where customers can get stuck, and what to do in each case.

πŸ”’ I'm logged out of the app and can't receive my push notification

Push notifications can only be received when you're logged in to the InvestEngine mobile app. If you've been logged out (for example, after reinstalling the app or logging out manually), you won't receive the push.

What to do:

  • On the login screen, look for the "Didn't receive the notification" link
  • Select your secondary method- either SMS code or one-time recovery phrase
  • Once logged in, your push notifications will work as normal again

πŸ“΅ I'm not receiving my SMS code

There are a few reasons you might not receive your SMS:

  • Your phone may have no signal or be in a low-coverage area
  • There may be a short delay β€” wait a moment before requesting again
  • You may have hit the maximum number of SMS requests in a short period

What to do:

  • Tap "Resend" to request a new code
  • If you still don't receive it, tap "Didn't receive the notification" and use your one-time recovery phrase instead
  • Make sure your registered mobile number is correct in Settings β†’ Personal details

πŸ”‘ I've lost or forgotten my recovery phrase

If you can't find your recovery phrase, and it's one of your two chosen methods, you may have difficulty logging in if your other method is also unavailable.

What to do:

  • If you can still log in using your other method (push or SMS), go to Settings β†’ Login settings β†’ Two-factor authentication and generate a new recovery phrase. Store it safely this time.
  • If you cannot log in at all, contact our support team (see below). We'll verify your identity and help you regain access.

πŸ”„ I used my recovery phrase and now I don't have one

Your recovery phrase is a single-use code β€” after you use it to log in, it's automatically replaced with a new one.

What to do:

  • After using your recovery phrase to log in, go immediately to Settings β†’ Login settings β†’ Two-factor authentication
  • Your new recovery phrase will be displayed β€” write it down and store it safely before logging out

πŸ“± I have a business account and a personal account with the same phone number

At present, the same phone number cannot be used as a 2FA method across both a personal and a business InvestEngine account simultaneously.

What to do:

  • Use a different phone number for one of your accounts, or
  • Contact our support team and we can help you find a workaround

🚫 My account is blocked- I can't get past the 2FA screen

If none of your 2FA methods are working and you're completely locked out, please contact our support team. We'll ask you to verify your identity before we make any changes to your account.

Getting help

If you're unable to log in and none of the above steps have resolved the issue, our Client Services team can help.

To verify your identity over email, we'll ask for:

  • Your date of birth
  • Your current postcode
  • Your National Insurance number

Once we've confirmed your identity, we can disable 2FA on your account so you can log back in and set it up again.

πŸ“§ Contact us: support@investengine.com

Tips for keeping your account secure

  • Always store your recovery phrase somewhere safe and offline (e.g. written down at home)
  • If you change your phone number, update it in Settings β†’ Personal details and re-verify it for 2FA
  • Never share your 2FA codes or recovery phrase with anyone β€” InvestEngine will never ask for them
  • If you think someone may have accessed your account without your permission, contact us immediately

Frequently asked questions

  • Why is InvestEngine making 2FA mandatory?

    2FA significantly reduces the risk of unauthorised access to your account. Even if someone obtains your password, they cannot log in without your second verification method. Protecting your investments and personal data is our priority.

  • Can I use an authenticator app (like Google Authenticator)?

    Not currently. Our 2FA currently supports push notifications via the InvestEngine app, SMS codes, and the one-time recovery phrase. We'll let you know if additional methods become available.

  • What happens if I get a new phone?

    If you get a new phone, log in to the InvestEngine app on your new device. Once logged in, push notifications will work as normal. If you have trouble logging in during the transition, use your SMS code or recovery phrase.

  • Will I need to do 2FA every time I log in?

    Yes, 2FA is required every time you log in to InvestEngine, on both web and mobile. However, if you close the mobile app without logging out, you can reopen it using your 4-digit PIN or your phone's biometrics (such as Face ID)- you won't need to go through 2FA again until your next full login.

  • What if I need extra support with 2FA?

    We know that setting up 2FA isn't straightforward for everyone. If you're finding it difficult, for any reason-  please get in touch and our team will be happy to help you through it.