At Citibank, we are committed to making Citibank Online a secure banking environment for you. Additional authentication is required for designated online transactions where a higher level of security is needed.
A built-in security token, Citi Mobile® Token, replacing other methods like physical Security Device or One-Time Password (OTP) via SMS, lets you generate an OTP for authenticating designated transactions via Citi Mobile® App anytime, anywhere.
SecureProtected by a 6-digit Unlock Code chosen by you, and restricted to one mobile device of your choice.
InstantDirect generation of an OTP, without the need to wait for a SMS anymore.
ConvenientGenerate an OTP anytime without a physical Security Device or network connection.
Examples of transactions requiring OTP
- Payments & Transfers
- Enroll/View e-Statement
- Stock Trading
Enable Citi Mobile® Token in 3 easy steps
Physical Security Device
Please note that we no longer accept any new Security Device request.
Effective from January 1, 2018*, we will no longer accept the use of physical Security Device to authenticate online & mobile banking transactions.
For customers who are holding physical Security Device, we recommend you to download Citi Mobile® App and enable Citi Mobile® Token before January 1, 2018.
To activate your physical Security Device, please log on to Citibank Online, select "My Profile" > "Security Device Activation" .
*Only applicable to customers whose correspondence address is in Hong Kong
When you access transactions at Citibank Online that require a One-Time Password (OTP), you will be prompted with a screen. Select your preferred way (one of the following) to generate an OTP. Simply enter the OTP you have generated and click "Continue".
Citi Mobile® Token : Simply open the Citi Mobile® App and follow below steps
Physical Security Device : Press the green button on the device
Transaction Signing is a more sophisticated authentication process for designated online transactions that require stronger protection. During the process, you will enter a Challenge Code, which will be displayed on Citibank Online when you perform the transaction, into the device to generate a Transaction Authorization Code (TAC) to authorize the transaction.
Transaction Signing will be required when a banking customer adds a New Payee (Local Payee or Overseas Payee). This is not applicable to customers who only hold credit card with us.
You can generate the TAC via the following methods:
Citi Mobile® Token : Simply open the Citi Mobile® App and follow few simple steps
Physical Security Device : Click here to view the steps
One-Time Password (OTP)
Second-level authentication is required for certain online transactions. You will be asked to input OTP when performing these transactions. The OTP can be generated by the Citi Mobile® Token or a Security Device, OR can be received from your registered mobile number via SMS.
Transaction Signing is a more sophisticated authentication process for designated online transactions that require stronger protection. You will need to perform transaction signing using the Citi Mobile® Token or a Security Device in order to add a new payee (local payee or overseas payee).
This is for your added security protection. The One-Time Password and Transaction Signing serve as additional information on top of Card Number and PIN for authentication.
Your Citibank Online User ID and Password remains unchanged. You do not need a One-Time Password to login to Citibank Online.
One-Time Password applies to both session level (require once per logon session) and transaction level (require for certain transaction in the same logon session). Online transactions that require a One-Time Password are those that require a higher level of security. Examples of transactions requiring second-level authentication:
- • Payments and transfers
- • Enroll/view e-Statements
No, you only need to perform transaction signing for Adding a New Payee (Local Payee or Overseas Payee).
You will need to perform transaction signing using a Citi Mobile® Token or Security Device in order to add a new payee (local payee or overseas payee). During the process of transaction signing, you will enter a Challenge Code, which will be displayed on Citibank Online when you perform the transaction, into the Citi Mobile® Token or the Security Device to generate a Transaction Authorization Code (TAC) to authorize the transaction.
Credit card only clients will have the option to add a new Merchant payee using the authentication process of Online Authorization Code (OAC) sent to your registered mobile number via SMS. Hence it is not necessary to request for a Security Device.
Citi Mobile® Token
Citi Mobile® Token is a new feature within the Citi Mobile® App to generate a unique, One-Time Password (OTP) in order to authenticate online and mobile transactions. It is an alternative to other authentication methods such as a physical Security Device, or OTP via SMS, yet is more secure, instant and convenient. The Citi Mobile® Token can only be activated with the Citi Mobile® App on ONE mobile device at a time which provides you with an additional level of security.
The benefits of the Citi Mobile® Token are:
Secure - Protected by a 6-digit Passcode chosen by you, and restricted to one mobile device of your choice.
Instant - Direct generation of OTP, without the need to wait for an SMS anymore.
Convenient - Generate an OTP anytime without a physical Security Device or network connection.
For designated online/ mobile transactions which require additional authentication for a higher level of security, you can use the Citi Mobile® Token to generate OTP/ Transaction Authorization Code (TAC) to perform the authentication. Examples of transactions requiring OTP: Payment & Transfers, Enroll/ View eStatement or eAdvice, Stock Trading, Email Address Update. Examples of transaction requiring TAC: Add a New Payee.
No, Citi Mobile® Token is a feature within Citi Mobile® App. Thus, you will not be able to use the Citi Mobile® Token without the Citi Mobile® App.
Currently Citi Mobile App is available in the following 16 markets: Hong Kong, China, India, Indonesia, Japan, Korea, Malaysia, Philippines, Singapore, Thailand, Taiwan, Vietnam, Australia, United Arab Emirates, United Kingdom and USA. You can get our app in Apple App store or Google Play store in these markets by searching “Citibank HK”. If you are not able to download Citi Mobile App from the Apple App store or Google Play store , please call CitiPhone Hotline +852 2860 0333.
Yes, Citi Mobile® Token does not require any internet connection to generate an OTP.
You can simply follow a few simple steps to activate Citi Mobile® Token
You can simply open the Citi Mobile® App and follow a few simple steps to generate an OTP.
You can simply log in the Citi Mobile® App and follow a few simple steps to authenticate transactions with the Citi Mobile® Token.
The steps are similar to generating a TAC with the physical Security Device. You can simply log in the Citi Mobile® App and follow a few simple steps to generate a TAC with the Citi Mobile® Token.
Your unique 6-digit Citi Mobile® Token Unlock Code ensures that only you have access to the Citi Mobile® Token activated device and can generate an OTP and / or TAC. For security reasons and to protect your interests, you should not share your Unlock Code with anyone. You can change your Unlock Code in the Settings of Citi Mobile® App when necessary.
You can reset the Unlock Code by signing on the Citi Mobile® App and entering an OTP SMS sent to your registered mobile phone number. Simply follow the “Forgot Unlock Code” on the Citi Mobile® Token page to reset it.
Your OTP authentication may be unsuccessful because you have entered an incorrect Citi Mobile® Token Passcode. Please try again with a correct Passcode. If you have entered an incorrect Passcode for more than a number of times in a row, you will no longer be able to log in to your Citibank Online and the Citi Mobile® App for security reasons. Please call CitiPhone at (852) 2860 0333 to release your account.
For security reasons, your Citi Mobile® Token can only be activated on ONE mobile device at a time. If you would like to change the mobile device on which your Citi Mobile® Token is activated, simply complete the activation process on the mobile device you would like to change to. Once the activation is completed, the Citi Mobile® Token on the previous device will be automatically deactivated immediately.
For security reasons, your Citi Mobile® Token can only be activated on ONE mobile device at a time. We strongly recommend you register the Citi Mobile® Token on your personal device that you commonly use.
There are 3 ways to deactivate your Citi Mobile® Token:
1. Log in to your Citibank Online and go to Services → My Profile → Deactivate Citi Mobile® Token
2. Enable the Citi Mobile® Token on another mobile device. The Citi Mobile® Token on the previous mobile device will automatically be deactivated instantly.
3. Call CitiPhone at (852) 2860 0333 to deactivate your Citi Mobile® Token.
Simply activate the Citi Mobile® Token on your new mobile device; the Citi Mobile® Token will be automatically deactivated on the previous device.
You should deactivate the Citi Mobile® Token immediately by the methods mentioned in Q22.
For the time being, you can still use your physical Security Device or get an OTP via SMS. However, Citi Mobile® Token offers you a more secure, instant and convenient way to authenticate online and mobile transactions. Generating an OTP with the physical Security Device will no longer be available after December 31, 2017.
Once you have activated the Citi Mobile® Token, it becomes your primary mode of authentication for all transactions made through the Citi Mobile® App. Simply input your 6-digit Citi Mobile Token Passcode and your transaction will be automatically authenticated.
Your Security Device is a personalized device that randomly generates a 6-digit One-Time Password that works with your account only when a higher level of security is required. Starting from July 26, 2015, the Security Device will support Transaction Signing to enhance online banking security.
Please activate your Security Device at Citibank Online before use. Logon to Citibank Online, select "My Profile" > "Security Device Activation"
No. The Security Device is free of charge.
If you lose or damage your Security Device, please call 24-hour CitiPhone Banking (852) 2860 0333 to request a replacement.
The Security Device sent to you has been assigned to your profile, and you will have to activate it in Citibank Online before use. This will prevent others from using your Security Device during delivery.
|Keep your Security Device in a safe and secured place at all times.||Allow anyone to use or obtain your Security Device.|
|Store your Security Device in a dry and cool environment, away from water or extremely high temperatures.||Leave your Security Device unattended or exposed with the One-Time Password displayed on the screen.|
|Personalize your Security Device so that it is recognizable by you.||Reveal your Security Device serial number or One-Time Password to anyone.|
|Contact us on 24-hour CitiPhone Banking (852) 2860 0333 immediately if you lose or damage your Security Device.||Drop your Security Device from great heights, step on it, or attempt to dismantle it.|
|Inform us when the message "BATT" appears on your Security Device. This indicates that the battery is running low.||Label your Security Device with your name, passport number or any other information that may identify you as the owner of the Security Device.|
One-Time Password (OTP) SMS
Yes, the One-Time Password (OTP) SMS can be sent to both Hong Kong and overseas mobile phone numbers.
Please click here to download an application form to update your mobile number.
After successful update, the OTP will be sent to the new mobile phone number.
Download Citi Mobile® App and enable Citi Mobile® Token today.
Click here to learn more about Citi Mobile®