One of the realities of travel in the modern world is that everything from customs and immigration down to your loyalty program requires you to have some kind of an online profile or app.
Do you collect airline miles? You need a login for that. Hotel points? You need one for that, too. Heck, in the era of Big Data, even Tim Hortons has a reward scheme so they can study and incentivize your consumer habits to align with buying more donuts.
And where there are valuables, there are thieves or other bad actors. Understandably, most companies want to try and protect your hard-earned miles and points from people who aren’t you.
One of the imperfect ways your points are secured these days is via two-factor authentication, which I’d like to give you some tips on dealing with while traveling, and also make a modest proposal for minor reform to certain bank and loyalty programs as there is definitely to be a better way to handle two-factor authentication.
With that in mind, let’s explore how you can make dealing with this aspect of travel a bit easier going forward.
What is Two-Factor Authentication?
Two-factor authentication (2FA) is a fancy way for a financial institution or loyalty program to verify that you are you. Data breaches are common and of course, most companies want to limit the liability that could arise from such breaches. Plus, it’s just good business to protect your customer’s personal information.
Ultimately, they want to protect your account. This also protects them because it prevents you from suing them if all your Starbucks stars get burnt somewhere you never intended them to be by unknown scammers.
The way they do this is by asking you to provide another piece of proof you’re the account holder but without something as long or laborious as an ID check
In most cases, this is done in North America via SMS text message. This method is convenient when in Canada or the United States as everyone has a cell phone and SMS technology is standard-issue here.
This becomes very annoying overseas, however, because certain financial institutions and loyalty programs may only accept Canadian phone numbers. That means if you need to receive a text message while overseas, you’ll be on the hook for roaming charges. This same logic applies when banks prefer to permit logins only after giving you a phone call; great in Canada, but not so great when you are traveling elsewhere.
On the other hand, many loyalty programs in particular may only use email to issue you a code to verify your identity. This can be convenient for access anywhere there’s internet, but could be a bit of a security flaw: many folks recycle the same passwords, so if your banking password is compromised, your email could be as well.
This leads many places to a third option: push notifications to an app on a registered device. Some banks are innovating with this, and whilst it isn’t perfect, it’s much better for would-be travelers than the alternatives. Simply receive the notification, approve it, and you have verified yourself.
How to Deal with Two-Factor Authentication When Traveling
So the real question becomes: how do you avoid dealing with 2FA when traveling? If you do have to deal with it, how do you make the process painless so you can access your credit cards or points while traveling, and how do you avoid being charged the ever-annoying roaming fees?
First up I need to clarify that because your bank or loyalty account is linked to your normal physical phone number, you’ll have to receive text messages via your normal SIM card. Alternatives such as eSims don’t work for companies that only use SMS protocol.
This means that the prep work is key: make sure to have all of the banking apps for the credit cards you intend on using installed on your phone before you travel. Also, for those banks and loyalty programs that allow it, set your device to be your registered or favorited device so push notifications will come to the device in your hand and not one that you left at home.
I’d say this also means emphasizing some of the issuers from the list below who prefer using app notifications over SMS. This also makes eSims an attractive way to ensure you always have connectivity.
The sad thing though is that this also means you probably need to travel with your Canadian SIM at all times, and may need to put it into your phone and bite the bullet of roaming charges to access your accounts. This is never fun, but sometimes is necessary. Unfortunately, it just is the cost of traveling and needing to access accounts in a pinch.
Lastly, if you go to any country, have a way to make long-distance international phone calls at an economical rate. At some point, you may be forced to call your bank and in such situations, calls can be very expensive. I typically will ask hotel concierges how to make calls at a discounted rate if I need to do so.
List of Two-Factor Authentication Requirements for Banks
Most banks don’t use two-factor authentication in all instances. However, logging in from a new unrecognized location or making certain types of transactions can trip this.
For example, when I use Simplii Financial’s Global Money Transfer tool to take advantage of their competitive exchange rate and pay with no interest via my Simplii Financial Cash Back Visa card, I am always prompted with an in-app push notification on my main registered phone to complete the process.
We’ve captured the two-factor authentication methods offered by Canadian banks below:
| Canadian Bank | Two-Factor Authentication Method(s) |
|---|---|
| American Express | No two-factor Authentication at home or abroad |
| Bank of Montreal (BMO) | Text message or email |
| Brim Financial | No two-factor authentication; automated or manual account locks must be resolved by calling one of the numbers on the back of the card |
| Canadian Tire Financial | |
| CIBC | Phone call, email, text message, or push notification on one preferred device |
| Desjardins | Text message or push notification via the Desjardins app |
| EQ Bank | Email or text message |
| Manulife | Email or text message |
| MBNA | Phone call or text message |
| National Bank | Email or text message |
| PC Financial | Email or text message |
| Royal Bank of Canada (RBC) | Preferred device app push notification (one device only at a time) |
| Rogers Bank | |
| Scotiabank | Preferred device app push notification (one device only at a time) |
| Simplii Financial | Choice of phone call, email, text message, or push notification on one preferred device (same as parent CIBC) |
| Tangerine | |
| TD | Phone call, text message, or TD Authenticate app |
| Wise | App push notifications |
List of Two-Factor Authentication Requirements by Loyalty Program
Most loyalty programs don’t yet have mandatory two-factor authentication when logging in, however some of the most prevalent such as Marriott Bonvoy and Air Canada Aeroplan now do whenever logging into your account on a new device.
In other situations, two-factor authentication may be made when making certain transactions, such as bookings, or when transferring points or nightly certificates via programs such as World of Hyatt.
We’ve captured the two-factor authentication methods offered by the loyalty programs most used by Canadians below:
| Loyalty Program | Two-Factor Authentication Method(s) |
|---|---|
| Air Canada Aeroplan | Two-factor authentication is optional but recommended; email or text message |
| Air France-KLM Flying Blue | Can only log in to FlyingBlue accounts via a code that is texted or emailed to the primary account holder |
| Alaska Mileage Plan | |
| Best Western Rewards | |
| British Airways Executive Club (Avios) | Email (must provide an email address when booking via the phone) |
| Marriott Bonvoy | Email or text message (texts don’t tend to work well for Canadian phone numbers) |
| Hilton Honors | |
| IHG One | No two-factor authentication |
| World of Hyatt | |
| Westjet Rewards | Email (same as Westjet website) |
| Wyndham Rewards | Text message when logging in |
Two-Factor Authentication: There Has To Be A Better Way
I’d like to opine for a moment about something: the current way that two-factor authentication works in Canada and the United States isn’t ideal.
It relies almost entirely on either phone calls or SMS text messaging protocol made to people with North American SIM cards in their phones. If they roam abroad, this costs customers a lot of money. Worse yet, I don’t know if it makes folks’ accounts super secure, as 2FA often feels like a way to minimize liability for card issuers more than just about securing account information.
In many other parts of the world, third-party secure apps like Google Authenticator are the norm.
These apps work by allowing you to download the app to your phone. You can then use this app to answer any 2FA questions you receive from a service requesting a higher level of security authentication.
This means you can access your accounts anywhere so long as you have your trusted mobile device with one of these apps installed, and in fact, TD Bank in Canada even operates on this logic with their own authenticator app.
Of course, this method isn’t perfect either, as if you lose your phone you may find it hard to access anything at all. But overall, I think it makes a lot more sense than using a form of text message technology that isn’t very common around the world and which costs travelers a lot of money every time they have to try and use it.
Here’s hoping a compromise can be found in the future by our major banks and we can move towards a more consumer-friendly and secure future.
Conclusion
Two-factor authentication is a reality of modern digital life. Banks and loyalty programs will use it to protect your account from intrusion and protect themselves from having to settle too hard with angry customers.
Unfortunately, it means that most in Canada are using slightly outdated technology such as SMS text message verification. Safety is very important both for our money and miles, but this type can be clunky and expensive when abroad. Banks that emphasize push notifications or allow integration with authenticator apps are much more preferable and friendly for travel needs.
Going forward, I am hopeful that push notifications and third-party authenticator apps will become more standard as technology improves, as those are by far the best options for two-factor authentication when traveling.
Until next time, make sure you have data on your e-sim and a friendly hotel concierge who knows where the cheap long-distance payphones are.
Frequently Asked Questions
eSims can work only on data-enabled methods such as push notifications on your authorized device or email, but will not work for phone calls or SMS authentication.
If you can, set up your bank or loyalty account two-factor authentication to require an email or push notification.
If this isn’t offered, there aren’t any great ways to handle this short of using your normal phone number which can incur additional costs when traveling.
Kirin Tsang
Latest posts by Kirin Tsang (see all)
- How To Pick a Premium Credit Card - Mar 17, 2025
- How to Deal With Two-Factor Authentication While Traveling - Feb 24, 2025
- How to Save Money on Sporting Event Travel with Miles & Points - Feb 17, 2025
- Canadian Credit Cards With Annual Credits: What You Need To Know - Feb 7, 2025
- Guide to the Amex Platinum $200 Dining Credit - Jan 24, 2025
