How to Activate a Mobile Authenticator App

Background

We introduce the possibility for you to authenticate using your favorite Authenticator app. Those apps are based on an industry standard, referred to as TOTP. The Time-based One-Time Password is a form of two-factor authentication (2FA). It is a software based solution, independent from phone carriers or Internet access and relies on unique numeric codes, generated offline, starting from a secret key and the current time.

The TOTP standard is supported by a number of Mobile Authenticator apps (e.g.: Microsoft Authenticator, Google Authenticator, Authy) and as well by many Password Managers (e.g. 1Password, KeePass, Keeper, etc.). This wide support allows you a great degree of freedom when choosing which application to employ. If you are already using an application with TOTP support for other services, you may simply add your IBKR user to it, otherwise you may install a Mobile Authenticator app of your choice.

In this guide we will cover the Mobile Authenticator activation through few widely used apps but the procedures here outlined are applicable to a number of other apps with minimal differences.

Popular Mobile Authenticator apps

The majority of the Mobile Authenticator apps is primarily installed or designed for mobile devices, such as smartphones. We will guide you below, through some basic operations in situations where the app is installed on a smartphone. Here is a list of commercial and free for use apps, some of which can as well be installed on desktop machines.

  1. Microsoft Authenticator

  2. Google Authenticator

  3. Authy

  4. 1Password

  5. KeePassXC

  6. Yubico Authenticator

If you are not yet using an Authenticator app, we recommend to choose one that has a cloud sync and recovery mechanism, such as example apps 1-4 above.

Adding your IBKR login to your Mobile Authenticator app

Best practices

  1. Enable the screen lock protection for the Mobile Authenticator app.

    This function controls the access to the app through Fingerprint / FaceID check. We strongly recommend you to protect your TOTP codes behind this additional layer of security.

    • On Microsoft Authenticator the function can be enabled from the app Settings → Privacy Screen.

    • On Google Authenticator the function can be enabled from the app Settings → iCloud Backup.

    • You can probably find the Screen Lock functions of Password Manager among the main app Settings or under the sub-category "Security".

  2. Backup your Mobile Authenticator app configuration in the cloud.

    Several Mobile Authenticator apps offer the possibility to backup their configuration in the cloud. If, for some reason, the app became unusable or you inadvertently deleted it and you had to reinstall it, you can immediately restore its configuration without the need to call our Client Services.

    Note: On Microsoft Authenticator, the backup function requires you to log in with a Microsoft Account. On Google Authenticator, an iCloud account on iOS or a Google Account on Android is required.

    • On Microsoft Authenticator, the function can be enabled from the cloud icon on the toolbar.

    • On Google Authenticator the function can be enabled from the app Settings → iCloud Backup.

    • If your Password Manager app offers Backup or Sync functions, you can probably find them among the main app Settings or under the sub-category "Backup" or "Sync".

FAQ

  1. Can I use the Mobile Authenticator along with other security devices?

    Yes. We support M2FA (Multiple 2-Factor Authentication) for the Mobile Authenticator. Upon login to IBKR, you will be able to select which 2FA method to use from a drop-down menu.

  2. I have multiple usernames. Can I activate them on the same Mobile Authenticator app?

    Yes, absolutely. You can repeat the exact same activation procedure for all your usernames, in order to create multiple entries under your Mobile Authenticator app (one entry for each username).

    Alternatively, you can use different Mobile Authenticator apps for different users or groups of users, but we do not regard this as an optimal or practical solution, as it is very easy to forget or confuse this set-up.

  3. Can I use multiple Mobile Authenticator apps to generate codes for the same user?

    In general it is not possible to have multiple Mobile Authenticator apps generating valid codes at the same time for a given user. Every time you activate a user, a new QR code (and hence a new secret key) is generated and the last key will override all the previous ones. Therefore, only the last Mobile Authenticator app that you have activated, will generate valid codes for that user. The other apps will generate invalid codes, which will be rejected upon login.

    There are few Password Manager and Mobile Authenticator apps (like 1Password, Authy) which can sync the codes across devices (through the creation of an account on their platform). In this way, they allow multiple devices to display valid codes.

  4. I am planning to buy a new mobile device. How can I transfer the settings of my current Mobile Authenticator app to the new device?

    You have several solutions. We list them below, starting from the less time consuming:

    • Enable the Backup/Sync option for your Mobile Authenticator app (see point 2 in Best Practices) on your current phone or tablet. Once you have received your new device, you will be able to restore your app configuration directly from the cloud, within seconds. With this option, you would not need to have both devices simultaneously at hand.

    • Only for Google Authenticator: use the "Transfer Accounts" function from the main app menu (sandwich icon on the top left corner) and you will be able to copy the entries on your new phone. In order to use this option, you need to have both devices simultaneously at hand.

    • Start from scratch on the new device and scan again the QR code from your Client Portal to re-activate your user. With this option, you do not need to have the old device at hand but you need to have access to your Client Portal or contact our Client Services to obtain a temporary access. The entire operation could be time consuming, especially if you have multiple usernames to re-activate.

  5. I removed my username entry from the Mobile Authenticator app but I am still prompted to enter the code upon log in to IBKR. What should I do?

    By design, removing the code generator entry from your Mobile Authenticator app does not simultaneously disable this 2FA method on the IBKR back-end systems. For this reason, our platforms will still prompt you to enter the Mobile Authenticator codes upon login, although you can no longer generate those codes on your app.

    Should you be unable to restore the entry on your Mobile Authenticator app using instructions at point 4 of Common issues and solutions, please Contact our Client Services on the phone to receive assistance.

FAQ - Issues and Solutions

  1. When I try to scan the QR code, the camera does not activate.

    • On iOS devices, in the Global Settings of your device, locate your Mobile Authenticator app settings. There, make sure the switch to allow access to "Camera" is activated.

    • On Android devices, you can access that switch from the Global Settings of your device → Apps & Notifications → your Mobile Authenticator app → Permissions.

      Should you still be unable to use the camera to scan the QR code, please enter manually the strings displayed below the QR code instead.

  2. The Codes generated by my Mobile Authenticator app are not accepted for the Activation.

    Please make sure that the entire operation of entering the codes in the activation screen does not exceed the code validity time window (30 seconds). Also, you should not use a code which is already about to expire but wait for a fresh one. If the code is nevertheless rejected, please check that your device internal clock is correct and automatically synced with the current time, as follows:

    • On iOS devices, you can enable this function from the Global Settings → General → Date & Time. Please make sure the switch "Set Automatically" is active and that the correct Time Zone is selected.

    • On Android devices you can enable this function from the Global Settings → System → Advanced → Date & Time. Please make sure the switch "Automatic Date & Time" is active and that the correct Time Zone is selected.

      Note: Only on the Google Authenticator app for Android, you would need as well to use the function "Sync Now", present within the app Settings → Time Correction for codes.

  3. I activated a new Mobile Authenticator app for my user and now the codes generated by the old one are rejected.

    This is expected and by design. It is not possible to have multiple Mobile Authenticator apps generating valid codes at the same time for a given user. Only the last Mobile Authenticator app that you have activated will generate valid codes.

  4. I had to reinstall my Mobile Authenticator app but I lost the entry I previously created.

    • If you previously enabled the Backup/Sync option (see point 2 in Best Practices) you can now restore the app configuration from the cloud. In the app main Settings or under the sub-category "Backup" or "Sync" you should find the Restore function.

    • If the Backup/Sync option was not active, you would need to manually re-create the entry for your username by scanning again the QR code from your Client Portal.

    • If the Mobile Authenticator was your only active 2FA method and you can not log in to your Client Portal, please contact our Client Services on the phone in order to obtain a temporary access.