Bank of America (BofA) security refers to the collection of tools, guarantees, and authentication features the bank uses to protect your accounts from unauthorized access and fraud. This includes everything from biometric login and passkeys to card locking, real-time alerts, and a zero-liability guarantee for unauthorized online transactions. Here’s how each layer works and what you can actually control.
How BofA Verifies Your Identity
Bank of America uses a layered approach to confirm you are who you say you are before granting access to your accounts. The simplest layer is your username and password, but the bank offers several stronger options on top of that.
Passkeys let you log in using your face or fingerprint on a device you’ve already verified, such as your phone, tablet, or computer. A passkey replaces the need to type in a one-time code every time the bank needs extra verification. Passkeys sync through password managers on Apple, Google, and Windows devices, so if you lose your phone, you can create a backup passkey on another device.
USB security keys are physical devices (typically $18 to $50 at online retailers) that plug into your computer’s USB port. They follow the FIDO2 standard, an industry protocol for hardware-based authentication. Once set up, a USB key acts as an extra verification step when you log in or add a new transfer recipient. You can save up to two keys on your account. Keys that go unused for six months get removed automatically, and all keys must be renewed every three years.
One-time authorization codes are sent via text message to a U.S. mobile number for certain high-value transfers and wire payments. If you’re sending money above your normal daily limit, the bank requires this “Secured Transfer” step along with confirmation through your debit card. International phone numbers aren’t currently supported for these codes.
The Zero-Liability Guarantee
Bank of America’s Consumer Online and Mobile Banking Guarantee states that you are not liable for unauthorized transfers or bill payments made through online or mobile banking, as long as you report the activity promptly. If someone gains access to your account and initiates a transfer you didn’t authorize, the bank covers it.
The guarantee also covers processing errors on the bank’s end. If Bank of America fails to send a bill payment with the correct payee, amount, or date you specified, the bank will reimburse any late-payment fees you incur as a result.
There are two notable exclusions. The guarantee does not apply to mobile check deposits, meaning if someone deposits a fraudulent check through your account, the standard guarantee won’t automatically cover it. It also doesn’t apply to small business accounts, which operate under separate terms.
Card Locking From Your Phone
If you misplace your debit card or suspect it’s been compromised, you can lock it instantly through the Bank of America mobile app or online banking. Locking freezes the physical card so new in-store or ATM transactions won’t go through. To unlock it, you follow the same steps and tap “Unlock.”
One important detail: locking your physical debit card does not lock your virtual card or any version of your card stored in a digital wallet like Apple Pay or Google Pay. Each card type has to be locked individually. If you think your account information has been stolen rather than just a physical card, locking alone isn’t enough. You still need to report the card as lost or stolen so the bank can issue a new card number.
Alerts and Monitoring
Bank of America lets you set up custom alerts for account activity. You can configure notifications for purchases above a certain dollar amount, balance thresholds, international transactions, or any card-not-present transaction (online purchases where the physical card isn’t swiped). These alerts come through the mobile app, email, or text, depending on your preferences.
Real-time alerts are one of the most practical tools available because they shrink the window between an unauthorized transaction and your awareness of it. Since the zero-liability guarantee requires prompt reporting, catching suspicious activity quickly strengthens your claim.
What You Can Do Right Now
If you have a Bank of America account, most of these features are available but not turned on by default. Setting up passkeys takes a few minutes in the app or on the website. Enabling alerts is available under account management settings. Card lock is accessible by selecting a debit card in the mobile app and tapping “Lock.”
For the strongest protection, pair passkeys or a USB security key with transaction alerts and the card lock feature. Passkeys and security keys are significantly harder for attackers to defeat than text-message codes, because they rely on a physical device in your possession rather than an SMS that can be intercepted through SIM-swapping schemes. If you travel frequently or don’t have reliable access to a U.S. phone number, a USB security key is the better choice over SMS-based verification.