Protect your TSP account
Protecting your TSP account is our top priority, and it’s a responsibility that we share with you as a TSP participant. While we create a secure connection to tsp.gov and give you control over your account settings, we strongly encourage you to take steps to protect your data when you’re online.
You can learn more about how to protect yourself on the internet, how to recognize scams that attempt to steal your information, and more about online security from the Federal Trade Commission.
If you’re concerned that your personal information or TSP account has been compromised, contact us immediately.
Learn to identify real TSP communications
How we contact you
By mail— We will most often contact you by mail, so you should make sure we have your correct mailing address. Read any TSP mail promptly and carefully. Take caution if you receive an account notice you weren’t expecting or a letter that asks you to “verify your account number” or other account information. Notify us immediately if you receive a letter that seems suspicious.
By email— We may send you an email to confirm a transaction that you completed or a change you made to your account information. We also periodically send informational emails such as the Thrift Savings Planner newsletter to the email address you provide in your My Account profile settings.
We will never include your sensitive information in an email, and we will never ask you to send us sensitive information by email.
- By phone— A TSP Participant Service Representative or an official from the Federal Retirement Thrift Investment Board may call you on the telephone in response to communication that you initiated by completing a transaction or by contacting us.
We will not contact you about investment opportunities or authorize third parties to provide counseling or services related to your investment choices. We do not assign the terms “TSP Advisor” or “TSP Counselor” to any individual or group.
If you’re not sure whether correspondence or phone calls claiming to be from the TSP are authentic, do not provide any personal or financial information. Contact us directly if you have questions or if you need to report suspicious activity.
What you should do to help prevent fraud
Steps you should take to protect your TSP account include:
- Check for a secure website connection— Before you submit data or attempt to log in to your account on tsp.gov, make sure you’re on the right website. In your browser’s address bar, look for a lock icon, a green bar, or “https://” at the beginning of the URL for tsp.gov.
- Protect your password and PIN— Create a password that’s unique to your TSP account, and don’t share it with anyone. Your password and PIN are your business, and no one at the TSP will ever need to know that information for any reason. If your browser offers autocomplete, disable it so it doesn’t store your My Account login credentials.
- Validate your contact information— Keep your email address(es) and phone number up to date and validate them in your My Account profile settings. You must validate your contact information in order to use two-step authentication to log in securely.
You also need to make sure we have your correct mailing address to ensure that your TSP information and transaction confirmations don’t go to the wrong place.
- Close your browser after you log out— When you’re finished accessing your TSP account, clear your browser’s memory of your sensitive account information by closing the browser window.
- Block access to your account— You have the option to block all online access, ThriftLine access, or both to your TSP account. Make this request online through your My Account profile settings, by calling the ThriftLine and speaking to a Participant Service Representative, or by submitting a written request.
Your written request must include your name, account number (or Social Security number), date of birth, signature, and the date you signed the letter.
Access to your account will remain blocked until you submit a written request to remove the block.
How we protect your TSP account
Account security features we give you include:
Secure website connection— We keep security certificates up to date for tsp.gov to ensure that your connection to our website is private. Our site uses encryption to protect your information as it travels between your computer and our server.
Secure login credentials— You can only gain access to My Account on tsp.gov with an account number or customized user ID that is unique to you. Your password is something only you should know. Two-step authentication gives you an additional layer of security by requiring a one-time code sent to your phone or email each time you log in.
Temporary account lockout— To discourage unauthorized users from attempting to gain access to your account, our system will suspend login access for one hour after it detects three unsuccessful attempts.
Automatic My Account logout— If you’re logged in to My Account and our system detects 10 minutes of inactivity, it will automatically end the session and log you out to prevent unwanted access to your account information.
Transaction confirmations by mail— When you make changes to your account, we’ll mail you a confirmation notice. If you receive confirmation of an action on your account that you did not request, contact us immediately.
Be cautious with software and mobile applications
You may encounter software or mobile applications that reference the Thrift Savings Plan and prompt you for your TSP account credentials. The TSP does not support these applications. We cannot endorse any information or advice you may receive from third-party software or applications. Providing your TSP account credentials to third-party software or applications may jeopardize your account security.
Add Extra Security to Your Account
After you log in to your TSP account for the first time, you can go to your profile settings to validate an email address and cell phone. Then you will be led through the steps necessary to enable two-step authentication.
Two-step authentication helps you protect your account against fraud by prompting you for a one-time verification code each time you log in. This login process is more secure because it means that online access to your account requires something you know (your account number or user ID and password) and something you have (a one-time verification code you receive in your email or on your phone). Someone who tries to log in to your account fraudulently won’t be able to gain access without the code.