Preserve access, protect retirement

iTrustCapital accounts often hold retirement assets and sometimes precious metals. Losing access or suffering an account takeover in a retirement account can have outsized consequences — both financial and administrative. A small amount of planning applied consistently prevents most problems. This guide provides clear, practical steps designed for investors and advisors to sign in securely, reduce risk, and plan recovery without adding unnecessary friction.

Reliable Sign-in Routine
Phishing Awareness
Recovery Planning

How to sign in — web and mobile

Consistency is faster than improvisation. Use the same short sequence each time you access your account so important checks become automatic.

Web (desktop) — quick routine

  1. Start from a clean environment. Open a dedicated browser profile for finance with minimal extensions. This reduces addon-related risks.
  2. Type the official domain manually or use a trusted bookmark. Avoid clicking links in emails or chats that claim urgent action.
  3. Confirm the connection is secure. Look for HTTPS and inspect the domain carefully for typos or extra labels.
  4. Use a password manager to fill credentials. Autocomplete acts as a simple anti-phishing check: managers typically won't fill forms on wrong domains.
  5. Complete the multi-factor prompt. Use your chosen 2FA to authenticate and confirm any device prompts.
  6. Review account notices and activity after signing in. For retirement accounts, quickly scan recent transactions and messages for anything unexpected.

Mobile app — practical steps

  1. Install only from official app stores (App Store / Google Play). Verify publisher and check recent reviews for authenticity.
  2. Enable an app PIN and biometric unlock for convenience, but require MFA for transfers and withdrawals.
  3. Keep the app current and audit app permissions periodically, especially on Android where overlays or accessibility settings can be misused.
If you receive a "new device sign-in" alert you didn't initiate, avoid clicking any embedded links. Sign in manually and review active sessions immediately.

Multi-factor authentication — recommended approaches

Multi-factor authentication (MFA) adds a second verification layer that prevents most account takeovers even when passwords leak. For retirement accounts, choose methods that balance safety with recoverability.

Common MFA methods

  • Authenticator apps (TOTP): Authy, Google Authenticator, or Microsoft Authenticator — widely supported and practical. If using Authy, protect the master account with a strong password and backups.
  • Hardware security keys (FIDO2/WebAuthn): YubiKey or similar — phishing-resistant and recommended for high-assurance accounts. Register both primary and backup keys.
  • SMS / phone codes: Convenient but vulnerable to SIM swap. Use as a fallback only, not the primary method for IRA accounts.

MFA setup checklist

  1. Sign in and navigate to Account → Security.
  2. Enable your primary MFA method and immediately register a backup (second authenticator or secondary key).
  3. Save recovery codes in a secure offline location (safe deposit box, encrypted hardware vault) — avoid cloud notes.
  4. Test the recovery process once so you know exactly what to do if you lose a device.
Do not store recovery codes unencrypted in email or standard cloud storage. Treat them like physical keys — loss of codes can severely delay access recovery for retirement accounts.

Account recovery — plan so you won’t panic

How you recover matters for retirement accounts. A considered plan prevents rushed mistakes and provides a clear path if devices or email access are lost.

Before you need it — prepare

  • Create and securely store printed backup codes. Store a copy in a safe or safety deposit box and consider an additional encrypted digital backup on a hardware vault.
  • Register at least two MFA methods — e.g., hardware key and authenticator app — so loss of one device doesn't lock you out.
  • Keep account contact information up to date: email, phone, and mailing address. If you work with an advisor, ensure access procedures are documented.
  • Document your recovery steps in a secure place and, if appropriate, include guidance for a designated executor in your estate plan.

If you’re locked out

  1. Try your saved recovery codes or alternate registered MFA device first.
  2. If recovery codes are unavailable, contact official iTrustCapital support and follow their identity verification flow — expect to provide ID and account details.
  3. After regaining access, rotate passwords and reconfigure MFA. Audit activity and API keys for any unauthorized changes.
Document the support case number and correspondence in your secure records so you can reference it in the future or share with your advisor/trustee if needed.

IRA-specific guidance & estate preparedness

Retirement accounts require special attention because they often form part of a long-term financial and estate plan. Beyond login security, maintain documentation and policies that protect beneficiaries and preserve tax records.

Beneficiaries & documentation

  • Ensure beneficiary designations are current and store printed copies of account agreements and beneficiary forms in a secure place.
  • Keep transaction confirmations and tax-related documents (Form 1099, RMD computations) archived in an encrypted document vault for the required retention period.
  • Include instructions in your estate plan explaining how trusted parties may access account information (without sharing passwords). Consider a secure custody method for keys or recovery information.

Transfers & withdrawals

For large transfers or distribution requests, require multi-step confirmations: call-backs to a verified number, sequential email confirmations, and, if possible, temporary holds to inspect unusual activity. This reduces the risk of fraudulent transfers out of retirement accounts.

Speak with your advisor or custodian about additional protective measures such as transaction alerts, transfer review periods, or secondary approvals for significant withdrawals.

Third-party integrations & API safety

When connecting tax aggregators, portfolio trackers, or custodial services, grant the least privilege required. Prefer read-only connections for reporting tools and use secure secret management for any programmatic credentials.

Best practices

  • Only authorize trusted services. Check reviews, support channels, and security documentation before granting access.
  • Prefer OAuth or officially supported connectors over sharing passwords or API secrets.
  • Revoke access for unused integrations during quarterly reviews and rotate any programmatic keys that remain active.
If an integration requests your password or MFA codes directly, stop immediately — that’s a red flag. Use official connectors or contact iTrustCapital support for approved integration options.

Troubleshooting common issues

Forgot password

Use the platform’s official password reset flow. If your email appears compromised, secure the email first (change password and enable MFA on the email account) before resetting financial account credentials.

Authenticator codes not working

TOTP codes depend on device time. Ensure your phone’s clock is set to automatic network time. If your hardware key is not recognized, check USB/BT permissions or try a different port/device.

Unexpected activity

  1. Change your password from a trusted device immediately.
  2. Revoke active sessions, API keys, and connected apps.
  3. Contact support and save case numbers; document suspicious transactions for your records and advisor.

Frequently asked questions

Can I access my iTrustCapital account from multiple devices?
Yes. You can sign in from multiple devices. Ensure each device is secured with OS updates, PIN/biometrics, and MFA for account actions. Periodically review active sessions and sign out of unused devices.
What should I do if I lose my phone (authenticator app)?
Use your printed recovery codes or a registered secondary authenticator/hardware key to sign in. If you lack backups, contact iTrustCapital support and be prepared to verify identity.
Is SMS-based MFA good for retirement accounts?
SMS is convenient but vulnerable to SIM-swap attacks. For retirement accounts, prefer authenticator apps or hardware keys; use SMS only as an emergency fallback.
How do I share account access with an advisor?
Use formal advisor access features if available, or set up clear documented procedures. Never share your password or MFA codes directly. Where possible, use role-based access and auditable connections.

Security checklist — quick actions

  • Confirm the official domain and HTTPS before entering credentials.
  • Use a unique, long password stored in a reputable password manager.
  • Enable MFA (authenticator app or hardware key) and register a backup method.
  • Store recovery codes offline (safe, encrypted vault, or physical backup).
  • Keep beneficiary information and account documents current and stored securely.
  • Limit third-party integrations and review them quarterly.
  • Document your recovery steps as part of estate or financial planning.
A short 7-point checklist like this, followed consistently, protects retirement accounts from most common threats without adding much daily friction.
s