Understanding our advanced login security features and how to protect your account access
Your account login is the gateway to your trading portfolio and financial assets. Our secure login system implements multiple layers of protection to ensure that only you can access your account, while our session management keeps you safe throughout your trading activities.
Our login system goes far beyond simple username and password protection, incorporating sophisticated security measures to protect your account.
We enforce strict password requirements to ensure your first line of defense is robust. Your password must be at least 12 characters long and include a combination of uppercase letters, lowercase letters, numbers, and special characters. We also check passwords against databases of commonly used and previously compromised passwords, preventing you from using passwords that are known to be vulnerable.
Our system uses advanced password strength meters that evaluate not just the complexity but also the predictability of your password. We prevent the use of personal information like your name, email address, or birthday in passwords. We also require password changes if we detect that your password may have been exposed in third-party data breaches.
Our system uses intelligent risk assessment to adapt security requirements based on various factors. When you log in from a recognized device and location, the process is smooth and quick. However, if we detect unusual activity - such as a login from a new country, an unrecognized device, or at an unusual time - we automatically require additional verification.
This adaptive approach means that potential attackers face increased security challenges, while your regular login experience remains convenient. The system learns your patterns over time, becoming more accurate at distinguishing between legitimate and suspicious login attempts.
For supported devices, we offer biometric authentication as an additional or alternative login method. This includes fingerprint recognition on mobile devices and facial recognition on compatible systems. Biometric data provides a unique identifier that's extremely difficult to replicate or steal.
Your biometric data is never stored on our servers. Instead, it's securely stored on your device's secure element, and we only receive confirmation that the biometric match was successful. This approach ensures your biometric information remains private while providing enhanced security.
Once you're logged in, our session management system continues to protect your account throughout your trading activities.
When you successfully log in, our system generates a unique, encrypted session token that identifies your session. This token is cryptographically signed and includes tamper detection, meaning any attempt to modify it will immediately invalidate the session. The token is transmitted securely and stored using httpOnly cookies, preventing access by potentially malicious JavaScript code.
Session tokens are bound to your specific device and browser fingerprint. If someone tries to use your session token from a different device or browser, the session is immediately terminated, and you're notified of the suspicious activity.
To protect against unauthorized access if you step away from your device, we implement intelligent session timeout policies. After a period of inactivity, you'll be automatically logged out. The timeout period adjusts based on your recent activity - if you're actively trading, the system extends your session, but if you're idle, it enforces stricter timeouts.
Before your session expires, we provide warnings allowing you to extend your session with a simple click. This prevents the frustration of being logged out in the middle of important activities while maintaining security when you're away from your device.
We monitor and control concurrent sessions to prevent unauthorized account sharing and detect potential security breaches. You can be logged in from multiple devices simultaneously, but we limit the total number of active sessions and monitor for suspicious patterns.
If we detect unusual concurrent session activity, such as logins from geographically distant locations within a short timeframe, we may require re-authentication on all devices. You can view all active sessions in your security settings and remotely log out any session you don't recognize.
We employ multiple defensive measures to protect your account against various types of login attacks.
Brute force attacks attempt to guess your password through repeated login attempts. We prevent these attacks through progressive delays and account lockouts. After a few failed login attempts, we introduce increasing delays between attempts. After multiple failures, we temporarily lock the account and notify you via email.
We also implement CAPTCHA challenges after failed login attempts to prevent automated attacks. Our system tracks failed login attempts across all accounts from the same IP address, blocking addresses that show patterns of attacking multiple accounts.
Phishing attacks try to trick you into entering your login credentials on fake websites. We combat this through several measures. First, we use Extended Validation (EV) SSL certificates that display our company name in your browser, making it easier to verify you're on the legitimate site.
We also implement login seals - personalized images or phrases that appear on the login page only when you're on the genuine site. Additionally, we never ask for your full password via email or phone, and we educate users to recognize and report phishing attempts.
Credential stuffing attacks use passwords stolen from other websites to attempt access to your account. We defend against these by monitoring for login attempts using credentials known to be compromised in data breaches. If we detect such an attempt, we block the login and require you to reset your password.
We also analyze login patterns to identify credential stuffing campaigns and implement additional challenges when we detect suspicious patterns. This includes requiring email verification or CAPTCHA completion even for correct passwords when the login pattern matches known attack signatures.
We understand that you might occasionally forget your password or lose access to your account. Our recovery process balances security with user convenience.
When you request a password reset, we send a unique, time-limited link to your registered email address. This link expires after one hour and can only be used once. The reset page verifies multiple factors including your device fingerprint and location to ensure the request is legitimate.
During the reset process, we may ask security questions or require additional verification if we detect anything unusual. Once you set a new password, we invalidate all existing sessions and notify you of the password change, ensuring you're aware of all account activity.
For high-value accounts or when standard recovery methods aren't available, we offer enhanced identity verification. This may include verifying personal information, answering security questions, or providing documentation. Our support team is trained to verify identity while protecting against social engineering attacks.
We maintain detailed logs of all recovery attempts and successful recoveries. If we detect multiple recovery attempts or other suspicious patterns, we may temporarily restrict recovery options and require direct contact with our security team.
Following these best practices will help you maximize the security of your account access.
Use a unique password for your WG account that you don't use anywhere else. Consider using a reputable password manager to generate and store complex passwords securely. Never write down your password or share it with anyone, including people claiming to be from our support team.
Regularly update your password, especially if you suspect it may have been compromised. Enable login notifications so you're immediately aware of any access to your account. Review your login history regularly and report any unrecognized activity immediately.
Always log in from secure, trusted devices. Keep your devices updated with the latest security patches and use antivirus software. Avoid logging in from public computers or unsecured Wi-Fi networks. If you must use public Wi-Fi, use a reputable VPN service to encrypt your connection.
Be cautious of browser extensions and only install those from trusted sources, as malicious extensions can capture your login credentials. Clear your browser cache and cookies regularly, especially if you share your device with others.
