Add Secure Multi-Factor Authentication (MFA) Options

Currently for MFA, Alpaca only offers an SMS option.

SMS was never designed for secure communication. Also SMS can open an account to hijacking via a SIM (phone port) attack.

The use of SMS has been questioned going back to 2016:

SIM port attacks have been on the rise, with the recent Twitter hack being a high-profile example. A successful SIM port attack could result in a hacker having a clone of your phone, and can be escalated to access into an email account.

Please offer more secure options such as Time-based One Time Passwords (TOTP).


Any update on when Alpaca will offer a secure MFA option?


I’ll chime in as to wanting this as well. I have multiple U2F keys as well as using TOTP.

SMS is incredibly insecure and I would not feel safe having any sort of money in any account that only supported it.


Is it really MFA? Or jsut 2FA? Can you clarifiy in the UI that it is 2FA and MFA is on its way? I’d rather use Authy or Google Authenticator. I personally know a few people who had their crypto drained from sim swapping. Let’s mitigate the risk. I know it’s an IAM thing and not sure if setting up for users in the dashboard could have an effect on API usage. IAM wrapped around APIs is a different way of authenticating (more based on the credentials, device, and localtion of request rather than the users identity).



This please! either one.


Same, a big security red flag for me, as well.

This really needs to be implemented. Preferably a protocol that is not locked into a single vendor.

Any updates on implementing a proper MFA?

1 Like

Please implement MFA, security is of the utmost importance!

Is there any update on this getting done? SMS, especially with certain providers, is relatively trivial to MITM. TOTP support at the very least so authy/google authenticator could be supported would be a nice start.

I’d particularly like support for FIDO U2F since it provides additional protection against certain types of phishing attempts.

Thanks for raising this topic and sharing your opinions!

We began to improve a toolset to secure a user’s accounts, so we just added TOTP MFA to security settings and started with the support of Google Authenticator.
Please, visit your Alpaca account > Settings > Security to enable it.

Take care!