Protect your TSP account
Protecting your TSP account is our top priority, and it’s a responsibility that we share with you as a TSP participant. While we create a secure connection to tsp.gov and give you control over your account settings, we strongly encourage you to take steps to protect your data when you’re online.
You can learn more about how to protect yourself on the internet, how to recognize scams that attempt to steal your information, and more about online security from the Federal Trade Commission.
If you’re concerned that your personal information or TSP account has been compromised, contact us immediately.
Learn to identify real TSP communications
How we contact you
By mail— We will most often contact you by mail, so you should make sure we have your correct mailing address. Read any TSP mail promptly and carefully. Take caution if you receive an account notice you weren’t expecting or a letter that asks you to “verify your account number” or other account information. Notify us immediately if you receive a letter that seems suspicious.
By email— We may send you an email to confirm a transaction that you completed or a change you made to your account information. We also periodically send educational outreach emails such as the Thrift Savings Planner newsletter to the email address you provide in your My Account profile settings.
We will never include your sensitive information in an email, and we will never ask you to send us sensitive information by email.
By phone— A TSP Participant Service Representative or an official from the Federal Retirement Thrift Investment Board may call you on the telephone in response to communication that you initiated by completing a transaction or by contacting us.
We will not contact you about investment opportunities or authorize third parties to provide counseling or services related to your investment choices. We do not assign the terms “TSP Advisor” or “TSP Counselor” to any individual or group.
If you’re not sure whether correspondence or phone calls claiming to be from the TSP are authentic, do not provide any personal or financial information. Contact us directly if you have questions or if you need to report suspicious activity.
What you should do to help prevent fraud
Steps you should take to protect your TSP account include:
- Check for a secure website connection— Before you submit data or attempt to log in to your account on tsp.gov, make sure you’re on the right website. In your browser’s address bar, look for a lock icon, a green bar, or “https://” at the beginning of the URL for tsp.gov.
- Protect your user ID, password, and PIN— Create a user ID and secure password that are unique to your TSP account, and don’t share them with anyone. Your user ID, password, and PIN are your business, and no one at the TSP will ever need to know that information for any reason. If your browser offers autocomplete, disable it so it doesn’t store your My Account login credentials.
- Validate your phone number and email— Keep your phone number and email address(es) up to date and validate them in your My Account profile settings. You must validate your phone number in order to use two-step authentication and log in securely to My Account.
- Keep your mailing address up to date— Make sure we have your correct mailing address to ensure that your TSP information and transaction confirmations don’t go to the wrong place.
- Close your browser after you log out— When you’re finished accessing your TSP account, clear your browser’s memory of your sensitive account information by closing the browser window.
Block access to your account— You have the option to block all online access, ThriftLine access, or both to your TSP account. Make this request online through your My Account profile settings, by calling the ThriftLine and speaking to a Participant Service Representative, or by submitting a written request.
Your written request must include your name, account number (or Social Security number), date of birth, signature, and the date you signed the letter.
Access to your account will remain blocked until you submit a written request to remove the block.
How we protect your TSP account
Account security features we give you include:
Secure website connection— We keep security certificates up to date for tsp.gov to ensure that your connection to our website is private. Our site uses encryption to protect your information as it travels between your computer and our server.
Secure login credentials— You can only gain access to My Account on tsp.gov with your user ID and web password, which only you should know. Two-step authentication gives you an additional layer of security by requiring a one-time code sent to your validated phone number by text message or automated phone call.
Temporary account lockout— To discourage unauthorized users from attempting to gain access to your account, our system will suspend login access for one hour after it detects three unsuccessful login attempts.
Automatic My Account logout— If you’re logged in to My Account and our system detects 10 minutes of inactivity, it will automatically end the session and log you out to prevent unwanted access to your account information.
Transaction confirmations by mail— When you make changes to your account, we’ll mail you a confirmation notice. If you receive confirmation of an action on your account that you did not request, contact us immediately.
Be cautious with software and mobile applications
You may encounter software or mobile applications that reference the Thrift Savings Plan and prompt you for your TSP account credentials. The TSP does not support these applications. We cannot endorse any information or advice you may receive from third-party software or applications. Providing your TSP account credentials to third-party software or applications may jeopardize your account security.
Two-step authentication helps prevent fraud
All TSP participants must use two-step authentication to log in to My Account. Two-step authentication helps you protect your account against fraud by prompting you for a one-time code each time you log in. This login process is more secure because it means that online access to your account requires something you know (your user ID and password) and something you have (a one-time code that you receive by phone). Someone who tries to log in to your account fraudulently won’t be able to gain access without the code.
Tips for using two-step authentication
Validate a personal phone number.
It’s important to use a phone number that will stay with you through career transitions.
Make sure your contact methods are secure.
Your account is only as secure as your login credentials and contact methods. Make sure you enable any additional security features, such as passcodes and two-step authentication, on your devices and for all online accounts.