IG Japan Makes 2FA Mandatory as Phishing Threats Hit Online Brokers

IG Securities Japan will make two-factor authentication (2FA) mandatory for all clients in June, moving the feature from an optional setting to a required login step.

The broker said the decision follows a rise in phishing scams and unauthorized access attempts targeting online trading accounts. Once the new rule takes effect, clients who have not enabled 2FA will not be able to log in.

[Insert Image 1: IG Japan 2FA announcement screenshot]

Contents

01

2FA becomes required for account access

02

Phishing risk puts login controls under pressure

03

Data handling issues remain in the background

04

Security controls move closer to daily operations

05

About WikiFX

2FA becomes required for account access

Clients who have already activated 2FA do not need to take further action. Those who have not completed the setup are being asked to do so before the deadline to avoid login interruptions.

The setup requires an authentication app, such as Google Authenticator or Microsoft Authenticator. Clients can then enable 2FA through the settings area of the IG trading app.

IG Japan also warned that support requests may increase around the implementation period, meaning users who wait until the last minute could face delays.

Phishing risk puts login controls under pressure

Phishing attacks usually target account credentials through fake websites, emails, messages, or pages designed to look like official trading portals. Once login details are stolen, attackers may try to access trading accounts, view personal data, or interfere with account activity.

This is why password-only protection is becoming less reliable for online brokers. 2FA is becoming part of standard account protection, especially where client funds, trading access, and personal data are involved.

Data handling issues remain in the background

The 2FA rollout also comes after IG Japan disclosed two separate data-handling issues.

In one case, some employees within the wider group were able to view customer records through an internal system without proper authorization. The information that could be accessed included names, dates of birth, addresses, contact details, and Japans My Number identification data.

In another case, customer data was stored on an external server managed by another group entity without prior approval from IG Securities Japan. The company said this was linked to a contractor oversight.

These issues are separate from the phishing-related 2FA rollout. Still, they place the new login requirement in a broader security context, where brokers are facing pressure not only to protect trading access, but also to strengthen data control inside their own systems.

Security controls move closer to daily operations

For clients, the immediate change is practical: 2FA must be enabled to continue accessing the account after the deadline.

For brokers, the shift is part of a wider operational adjustment. Account security is no longer only handled in the background by IT teams. It now affects client onboarding, login design, support capacity, data governance, and the way platforms respond to fraud attempts.

The measure will not eliminate phishing risk on its own. But it reduces the chance that a stolen password is enough to access an account, and it makes login protection less dependent on a single credential.

About WikiFX

WikiFX is a global broker information platform that provides broker profiles, licence records, risk alerts, user exposure data, and regulatory updates to help users review a platforms public compliance background.