How to Set Up Two-Factor Authentication on Your Online Banking

You want to lock down your online banking so a stolen password is not enough to drain your account. Two-factor authentication (2FA) does exactly that: it asks for a second proof of identity at sign-in, so even someone who knows your password gets stopped at the door. The FTC compares it to using two locks instead of one.

The setup itself is usually quick, done inside your bank's security settings. The only real decision is which second factor to use, and the menu path differs slightly by bank.

This guide walks you through enabling 2FA on several major U.S. banks across web and mobile, plus the universal authenticator-app and security-key methods, ordered from quickest and most common to strongest. Pick the method your bank offers, follow the path, and you are done.

Before You Start: Confirm the Prerequisites

2FA is added to an existing login, not a replacement for it. You must already have an active online banking profile (your username or User ID plus password) before you can layer a second factor on top.

You also need a "something you have" factor ready to register. Depending on the method, that means a mobile phone number that can receive SMS texts, an email address on file, the bank's official mobile app, an authenticator app, or a hardware security key.

Make sure your contact details with the bank are current. An out-of-date phone number or email means verification codes get sent to a channel you can no longer reach, and you can lock yourself out.

Choose Your Second Factor First

2FA combines credentials from two of three categories. Knowing them helps you pick well:

• Something you know: a password, a PIN, or a security-question answer.
• Something you have: a one-time passcode by text, email, or authenticator app; or a physical security key.
• Something you are: your fingerprint, your face, or your retina.

Not all factors are equal. Per CISA and the FBI, SMS text is the weakest acceptable option: codes are unencrypted, can be intercepted, and are vulnerable to SIM-swapping (the FBI reported roughly $48M in SIM-swap losses in 2023). Authenticator apps and push approvals are stronger. FIDO/WebAuthn security keys and passkeys are strongest because they are phishing-resistant. For a bank, lean toward the strongest method offered.

Turn On 2-Step Verification (Chase, Web)

1. 1.Sign in to your account at chase.com.
2. 2.Open your security settings.
3. 3.Find the option "Use 2-Step verification for extra security at sign in."
4. 4.Toggle the switch on.

From then on, at sign-in you are asked to verify it's you by entering a one-time code, delivered by email or phone (your choice). On a supported browser you can also accept the prompt to create a passkey and follow the on-screen steps; you can still use your username, password, and 2-step verification as usual.

Turn On 2-Step Verification (Chase Mobile App)

1. 1.Open the Chase Mobile app and sign in.
2. 2.Tap "Profile & Settings" (top-right corner).
3. 3.Tap "Settings."
4. 4.Tap "Security & Privacy."
5. 5.Scroll to "Ways you can be more secure."
6. 6.Tap "Use 2-Step verification for extra security at sign in" and toggle the switch on.

To add biometric sign-in, go to Profile & Settings > Settings > "Sign-in preferences," scroll to "Face ID & Passcode," and toggle "Turn on Face ID" (or your device's fingerprint or facial recognition). You can optionally check "Add your device passcode with Face ID."

Activate 2-Step Verification at Sign-On (Wells Fargo, Web)

1. 1.Sign on to wellsfargo.com.
2. 2.Go to the "Security & Support" tab (this is the location on a computer).
3. 3.Select "Activate or modify 2-Step Verification" (Wells Fargo's version of 2FA).
4. 4.Choose how to receive your access code: email, SMS text, a phone call, or a push notification to the Wells Fargo Mobile app.

Once activated, you are prompted to enter an access code as part of the sign-on process. You can also create a passkey from the same "Security & Support" tab for password-free sign-on.

Activate 2-Step Verification (Wells Fargo Mobile App)

1. 1.Sign on in the Wells Fargo Mobile app.
2. 2.Open the "Security Center."
3. 3.Activate or modify 2-Step Verification at Sign-On.
4. 4.Pick your delivery method: push notification to the app, SMS text, email, or phone call.

If you choose SMS, note that access codes arrive from short codes 93557 and 93733. Save these as contacts so the texts are not mistaken for spam; carrier message and data rates may apply.

Turn On Mobile App Verification (Capital One App)

Capital One's app-based push approval is set up in the mobile app, not from a desktop browser.

1. 1.Download the Capital One mobile app and agree to receive push notifications (required for this method).
2. 2.Sign in to the app.
3. 3.Tap "Profile" on the bottom toolbar.
4. 4.Tap "Security."
5. 5.Under "Additional Security," find "Mobile App Verification."
6. 6.Toggle it on and enroll your device(s).

When you later sign in, Capital One sends a push notification; open the app and approve the request to verify it's you.

Add SafePass (Bank of America)

Bank of America's 2FA option is called SafePass. Set it up from the security or profile settings in your Bank of America online banking.

1. 1.Sign in to Bank of America online banking and open your SafePass settings.
2. 2.Choose a delivery method: a mobile number that receives SMS verification codes, or a SafePass Card hardware token (which must be ordered).
3. 3.For the text option, provide a mobile number that can receive texts, or use a number already on file, and verify your identity when prompted.

Receiving codes by text is the no-cost option; the physical SafePass Card carries a fee, so choose the text option if you want to avoid the charge.

Add Your Bank to an Authenticator App

If your bank supports time-based codes (TOTP), an authenticator app is stronger than SMS and works the same way across banks. Support varies by bank, so confirm your bank offers an authenticator-app option first. Using Microsoft Authenticator as the example:

1. 1.Install the authenticator app, then on the bank's site or app open the 2FA setup screen that displays a QR code (or a secret/setup key).
2. 2.In Microsoft Authenticator, select the plus (+) icon on the top menu bar.
3. 3.Choose "Other account (Google, Facebook, etc.)" for a bank or any non-Microsoft site.
4. 4.Point your camera at the QR code to scan it; if the camera will not work, choose to enter the QR code/secret key and URL manually.
5. 5.The account now appears in the app showing a verification code that changes every 30 seconds.
6. 6.Back on the bank's setup screen, type the current 6-digit code to confirm and finish enabling 2FA.

Whichever app you use (Google Authenticator, Microsoft Authenticator, Duo, 2FAS, Keeper), save the backup/recovery codes the site displays right after setup. Store them in a password manager, not a screenshot or sticky note, or you can be locked out if you lose your phone. To sign in afterward, enter your password, then open the app and enter the current 6-digit code promptly, since it refreshes about every 30 to 60 seconds.

Register a Security Key or Passkey (Strongest)

Where your bank supports it, a FIDO2/WebAuthn key or passkey is the only widely available phishing-resistant option: it blocks logins to fake sites, which SMS, authenticator codes, and push cannot do.

1. 1.Obtain a FIDO2/WebAuthn security key (such as a YubiKey) and, if required, create a FIDO2 PIN for it.
2. 2.Sign in to your bank and open its security/authenticator settings on a supported browser.
3. 3.Choose the "security key" or "passkey" option and start registration.
4. 4.When prompted, insert the key into the USB port and tap/touch it to confirm presence, or use your device's biometric/PIN for a platform passkey.
5. 5.Complete the prompts; the key or passkey is now registered.

For a Capital One passkey specifically, find the option via a prompt on the sign-in page, a message in your account view, or your security settings; follow the two or three browser/device prompts; review the passkey details; then authenticate with your fingerprint, face, or screen-unlock PIN, password, or pattern. You can find and remove passkeys later under Capital One Profile > Security. A passkey is a passwordless sign-in method, and you should never create one on a shared or public device, since others may then be able to access your account.

Mistakes and Gotchas to Avoid

• SMS is the weakest link. Use an authenticator app, push, or a security key for a bank if the option exists.
• Codes are not phishing-proof. A fake bank site can trick you into typing your authenticator or text code straight to an attacker. Only FIDO/WebAuthn resists this.
• Codes expire fast. The 6-digit time-based code refreshes every 30 seconds (some apps 30 to 60 seconds), so enter it quickly or wait for the next one.
• Your email needs 2FA too. Email-delivered codes are only as secure as the inbox receiving them.
• Removing a passkey takes two steps. Delete it both from the bank and from your device, browser, or password manager, or a stale copy lingers.
• No one should ever ask for your code. Banks will not call or text asking you to read back or share a one-time code, PIN, or password. A request to share a code is a scam.

Frequently Asked Questions

Which 2FA method should I pick for my bank?

Choose the strongest one your bank offers. In order of security: a hardware security key or passkey (phishing-resistant) is strongest, then an authenticator app or push approval, with SMS text as the weakest acceptable option.

Will I have to enter a code every single time I log in?

Not always. Some banks trigger an extra verification code only for sensitive actions, such as adding a payee, large transfers, or signing in from a new device, rather than on every login. Wells Fargo Advanced Access, for example, prompts on certain transactions or sensitive information, so you may not see a code each time.

What happens if I lose my phone or my authenticator app?

This is why you save the backup/recovery codes shown right after setup, stored in a password manager. Without them, losing the device that receives your codes can lock you out of your account.

The bank texted me a code I did not request, and a caller wants me to read it back. Is that legitimate?

No. Banks never ask you to read back or share a one-time access code. A request to share a code, PIN, or password is a scam, regardless of who the caller claims to be.

Is a passkey the same as a second factor?

Not exactly. A passkey is generally a passwordless way to sign in rather than a strict second factor added on top of a password. With Chase, for instance, you can still use your username, password, and 2-step verification even after creating a passkey.

Does Bank of America's SafePass cost anything?

Receiving SafePass codes by text is the no-cost option. The physical SafePass Card hardware token carries a fee, so choose the text option if you want to avoid the charge.