TreasuryDirect Account Security: Logins, Passwords, and Protections

Securing your TreasuryDirect account comes down to a mix of automatic protections built into the platform and a handful of things you’ll configure yourself. Here’s a rundown of both.

The Login Process

Signing in requires more than just a password. You start by entering your account number, after which a One Time Passcode (OTP) gets sent to your email. You’ll enter that code before you ever reach the password screen. A couple of things to know:

• The OTP is case sensitive, though you can copy and paste it straight from the email
• It expires after 15 minutes, or the moment it’s used — whichever happens first

Once through the OTP step, you’ll reach the password page, where you’ll see a personalized image and caption that you set up when opening your account. These aren’t decorative — they’re there to confirm you’re on the actual TreasuryDirect site and not a phishing page designed to look like it. Both can be changed at any time through your account settings.

Password Requirements

Whether you’re setting a password for the first time or updating an old one, TreasuryDirect holds passwords to current security standards. If yours has been the same for a while and it’s on the simpler side, it’s worth a refresh.

Valid passwords must:

• Be at least 12 characters, with no spaces
• Use any mix of letters, numbers, and special characters, except for these: < \ > - % / "
• Avoid anything personally identifiable — your name, birthday, phone number, and similar details are all bad choices. Something you can reconstruct from memory, like a phrase meaningful only to you, tends to hold up better.

Security Questions

During account setup, you’ll select three security questions and write your answers. They serve double duty: helping you recover access if you forget your login credentials, and acting as a verification check before certain transactions go through.

Worth keeping in mind:

• Answers must match exactly what you originally entered
• You can update both questions and answers whenever you want
• If you went with something like “What is your mother’s maiden name?” or “What city were you born in?” — those are worth replacing. That kind of information is often findable with minimal effort
• The following special characters cannot be used in answers: ! ^ [ ] | " < >

Freezing Your Account

If you think your login credentials have been compromised, you can place a Customer Hold on your account right away. The option lives in your Account Info within your primary account. Once activated, all transactions — on your primary account and any linked accounts — are frozen completely.

Removing the hold isn’t something you can do yourself through the website. You’ll need to contact the Bureau of the Fiscal Service’s Risk Management Group directly to get it lifted.

Monitoring Login Activity

Every time you log in, a timestamp near the top of the page shows the last time your account was accessed. It only takes a second to check, and it’s a simple habit worth building. If the date or time looks off, call TreasuryDirect support at 844-284-2676. If you have any reason to think someone got into your account without your knowledge, placing a Customer Hold (covered above) is the right move while you sort it out.

Other Protections Already in Place

A few more safeguards work in the background without any setup required:

• Masked data — sensitive details are hidden by default on various pages, so routine browsing doesn’t expose them
• Mid-transaction verification — certain transactions will prompt you to answer one of your security questions before completing, adding a check at the moments that matter most
• Paper forms for some transfers — select security-related transfers can’t be done online at all and require a signed, certified paper form to be submitted. There’s no digital workaround.