Protecting your Oyster and contactless accounts

We've been working on an even more secure way to sign in to your Oyster and contactless accounts.

To strengthen existing security measures, we've introduced multi-factor authentication (MFA) to Oyster and contactless accounts.

The next time you sign into your Oyster or contactless account, we'll ask you to set up MFA by providing a mobile phone number.

After that, every time you sign into your account a 6-digit code will be sent to that number to check you are who you say you are.

Details of the change

MFA

  • You will enter your username and password as before, but you will also need a one-time code to sign in to your account. This will be sent by SMS (text message) to a registered mobile phone
  • MFA adds an extra layer of security to the sign-in process. It helps to confirm you are who you say you are when signing in to your TfL account, offering additional protection for your personal information
  • You will need to have your registered mobile phone available every time you sign in to your account
  • Contact phone numbers are now available under 'Personal details'. This optional field can be the same as (or different from) your authentication mobile number used for MFA. If you've already given us a contact number, this will now be visible - check that your details are up to date

TfL website

  • As part of this update, we have redesigned parts of our website. Some screens will look a little different, including the personal details dashboard for Oyster and contactless accounts
  • We've introduced a new customer dashboard so you can access TfL services and your personal data in one place. We'll introduce useful links and access to other services from the dashboard in future

Your mobile phone

  • We need a mobile phone number to verify your identity and set up MFA on your account
  • You'll need this phone to receive text messages (SMS) from us every time you sign in to your Oyster or contactless account online or on the TfL Oyster and contactless app
  • All SMS messages with the one-time code will show 'TfL' as the sender
  • We will not use your mobile number for any purpose other than to text you codes so you can use your account (unless you've given us the same number when contacting us for another reason)
  • You can use a non-UK mobile number to authenticate your account. When adding your mobile number, select the appropriate country code from the drop-down list
  • You can only set up MFA for one mobile number
  • If you do not have access to a mobile phone, we can still support you. Call us on 0343 222 1234 (TfL call charges) for any questions about Oyster or contactless

Get ready for the change

  • Download the latest versions of the TfL Oyster and contactless app and web browsers on your devices
  • Use a secure, strong password made up of different characters and numbers, ensuring it doesn't include any personal information
  • Use separate passwords for your accounts
  • Remember to sign out of your account, especially if using a shared or public device

What you need to do

Signing in to an existing account

  1. You'll be prompted to set up MFA the first time you sign in after the upgrade - we'll email you a one-time code to verify you own the account you're trying to sign in to
  2. When you next sign in after that, enter your email address and password as you do now - we'll then send a 6-digit code to your registered mobile phone
  3. You will need to enter the code texted to your registered mobile phone every time you sign in
  4. You may be asked to authenticate again when accessing or updating personal information

Signing out of an account

  • App: you'll be automatically signed out of your account if you do not access the app within 14 days. If you're using a shared device, ensure you sign out when you have finished accessing your account
  • Web: you'll be automatically signed out of your account when leaving the screen idle for 20 minutes. When you're finished using your Oyster or contactless account, make sure you sign out, especially if using a shared device

Creating a new account

  1. To create a new account, enter an email address. It must have fewer than 100 characters
  2. You must have access to the email address to receive a one-time code for the initial set up
  3. Once you have entered the correct one-time code, you'll be asked to provide your personal details including a mobile number to set up MFA
  4. When you first sign in to the account, we'll send a 6-digit code to your registered mobile phone. Enter the code in the sign in tool to confirm you are the account owner
  5. You will need to enter the code texted to your registered mobile phone every time you sign in
  6. You may be asked to authenticate again when accessing or updating personal information

Make sure you sign in to or create your:

Update any saved bookmarks or favourites to ensure you're using the correct links to access your account.

Updating personal details

You'll be able to update your personal details, including the mobile number you registered for MFA:

  • Personal details: select 'Personal details' in the menu on the right-hand side of the screen and then select the personal details to update. The personal details dashboard has been updated
  • Authentication mobile number: select 'change mobile number' when you sign in. You will need to verify your old mobile number to change to your new mobile number. Make sure you can receive text messages on your old number first. If you don't have access to your old mobile phone number, call us on 0343 222 1234 (TfL call charges)
  • Email address: select 'Personal details' in the menu on the screen and then select 'Update details'. Make sure you have access to your old and new email addresses as you'll receive a one-time code to your email address to verify it. If you're having difficulty updating your email address, call us on 0343 222 1234 (TfL call charges)

Forgotten details

Forgotten password

If you forget your password, you can reset it as you do now:

  • App: Click 'reset password' before signing in to change your password. Enter your email address so that the reset password instructions can be sent to you
  • Website: Click 'forgot password' before signing in to change your password. Enter your email address so that the reset password instructions can be sent to you

Forgotten email address

Contact us on 0343 222 1234 (TfL call charges)

  • Contactless: 08:00-20:00 Monday to Friday (09:00-17:30 Saturday to Sunday)
  • Oyster: 08:00-20:00 Monday to Sunday

Errors

One-time code errors

  • If you get an error when entering the correct one-time code, close the browser or mobile app and try again in 30 minutes
  • If you try to request a code and get an error, close the browser and try again. Ensure you are entering the correct email address when creating an account or updating your email address

Customer dashboard error

If you get a 'not available' or 'something went wrong' error when accessing your personal profile, close the browser or mobile app and try again in 30 minutes.

Adding a UK address error

You must provide a house/flat number OR house/flat name when adding a UK address. At least one of these fields must be populated and cannot be left blank.

Adding a non-UK address error

When adding a non-UK address ensure that you have entered details in the correct format. The fields when creating an address are free text fields but check that you've entered the correct characters, for example numbers and/or letters.

Signing out

If you step away from your device. your session will time out due to inactivity and you'll receive an error. Close the browser and sign in again.

General advice on error messages

If you receive an error message and can't sign in, try closing your browser/app. If that doesn't work, try again later.

From outside the UK and Europe

Accessing Oyster and contactless services

Protecting our customers' data is paramount and we want to ensure personal accounts remain safe. As part of this ongoing work, Oyster and contactless online accounts can only be accessed within Europe.

We're aware of an issue with accessing the Oyster and contactless app outside of the UK and are working on a fix. In the meantime, access your Oyster account on the Oyster cards page and contactless account on the contactless and Oyster page.

Customers from outside Europe can continue to contact us for help. In London you will still be able to travel using an Oyster or contactless card, as well as top up the cards at a ticket machine or an Oyster Ticket Stop.

Receiving SMS when you're outside the UK

If you're trying to access your account from outside the UK you can still receive an SMS from us with a 6-digit one-time code, but the sender might not show as 'TfL'.

Call us on +44 343 222 1234 (charges may apply - check with your operator) if you have any concerns.

If you have not received the one-time code you requested for a non-UK number, check with your mobile phone provider.

Why we're using SMS authentication

  • SMS multi-factor authentication adds an accessible and commonly used layer of security to protect our online services
  • We continue to review our security to find the best balance between protection and usability
  • We may consider additional authentication methods in the future