Two-Factor Authentication
Two-factor authentication (2FA) adds a second step after your password. Even if your password is guessed, an attacker would still need access to your second factor. Digital Canada supports authenticator apps and optional backup codes for account recovery when your primary device is unavailable.
Current configuration
2FA enabled: Yes. Primary method: Time-based one-time password app (authenticator). Backup codes remaining: 7. Last method rotation: 2026-01-05T10:00:00-05:00. SMS fallback (masked): (•••) •••-0198. Security key (WebAuthn): Not registered.
Recommended practices
Store backup codes offline in a sealed envelope or password manager. Replace them after you use several codes or if you suspect they were copied. Authenticator apps are safer than SMS where SIM-swap fraud is a concern, but require device backup discipline.
Organization administrators may enforce stricter policies for staff accounts. Consumer accounts follow the settings you choose here, subject to minimum standards.
If you are locked out
Use backup codes or the guided recovery flow. Identity verification may require answering questions, uploading ID, or visiting a service location for high-risk resets. This protects your tax, health, and immigration-linked data from takeover.
How 2FA connects to the rest of the wallet
Raising assurance levels here indirectly protects pages such as SIN, T4, and immigration status. When you rotate factors, also review active sessions for stale logins on shared PCs.