Multi Factor Authentication (MFA) for TRAQS

Multi Factor Authentication (MFA) enhances the security of accounts by adding an additional layer of security beyond the Username and password. MFA is one of the most effective security controls currently available to protect against remote security hacks. Passwords are increasingly easy to compromise and are often stolen, guessed or hacked. MFA helps the account stay secure even if the password is compromised. The second factor of authentication is separate and independent from a Username and password.

FINRA replaced digital certificates with Multi Factor Authentication (MFA) for access to the TRAQS website for trade reporting in April 2021 and for access to all Reference API data (Manually via TRAQS and Programmatically) in January 2025.

On December 31, 2025, FINRA retired two (2) Multi-Factor Authentication (MFA) options (SMS Authentication and Voice Call Authentication) that firms used to access the TRAQS Website and Reference API data (Manually via TRAQS and Programmatically) and replaced them with two (2) new methods;

  1. Okta Verify Desktop (FastPass using features such as Windows Hello)
  2. Federated Single Sign-On (SSO)

Users of the TRAQS website and Reference API data (Manually via TRAQS and Programmatically) must enroll in one or more additional authentication methods. The available authentication methods include:

  • Okta Verify (Mobile and Desktop (FastPass using features such as Windows Hello))
  • Google Authenticator
  • Federated Single Sign-On (SSO)

Instructions for enrolling in an additional factor can be found in the Multi Factor Authentication Enrollment Guide.

Click here for the MFA Enrollment Guide

FINRA recommends enrolling in more than one additional authentication method. Enrolling in more than one authentication method allows redundancy in case your mobile device is unavailable. We suggest using your land line phone number or a phone number that differs from your mobile number to enroll in Voice Call Authentication.

Important Links

NTFMFA Profile: https://mpp-test.nasdaq.com
FINRA TRAQS NTF: https://www-ntf.finratraqs.org
API Download NTF: https://apidownload-ntf.finratraqs.org
ProductionMFA Profile: https://mpp.nasdaq.com
FINRA TRAQS Production: https://finratraqs.org
API Download Production: https://apidownload.finratraqs.org

Contacts

Having Trouble Enrolling in MFA?
Questions about your account access?
Need the MFA Enrollment Email?		FINRA Market Operations
1-866-776-0800
[email protected] 
Have Questions about the API download process?FINRA Client and System Management
[email protected] 
Lost Access to your MFA enrolled Device?
Want to enroll in Federated Single Sign-On (SSO)?		NASDAQ Tech Support
212-231-5180

Common Questions About Enrolling in MFA

The following frequently asked questions provide information about using MFA for accessing the TRAQS website via the web or API.

Why is FINRA implementing Multi Factor Authentication (MFA) for TRAQS?

Passwords are increasingly easy to compromise. Passwords can often be stolen, guessed, or hacked; often without the user knowing. MFA adds a second layer of security by helping the account stay secure even if the password is compromised. 

Is enrollment in MFA mandatory?

Yes, users are required to enroll in MFA to access the FINRA TRAQS website for trade reporting and API access. Any user that attempts to login to the TRAQS website without enrolling in MFA will be prompted to enroll in MFA.

It is recommended that users enroll in more than one authentication method if not using Federated SSO.

Can a user have MFA and Federated SSO?

No, user accounts can be set to either authenticate via Federated SSO or locally through Okta.

Want to enroll in Federated SSO?

Review the Federated Single Sign-On (SSO) section in the MFA Enrollment Guide and Contact NASDAQ tech support at 212-231-5180 option 4.

Having issues with Federated SSO?

Please contact your firms Identity and Access Management team.

Having issues Downloading Okta Verify Desktop Application?

Please contact your firms Desktop Support.

Unable to enroll in Okta Verify Desktop, getting “The sign-in URL is not secure”?

Please see the solution in the following link.

Having issues setting up Windows Hello?

Please contact your firms Desktop Support. Windows support documentation can be found here.

My SAA requested a new TRAQS Username for me, I have not received an enrollment email. How do I get a new email?

If you need a new enrollment email, please contact [email protected] or 1-866-776-0800 option 2.

Does the enrollment email expire? 

Yes. Users have 30 days from the date the email was sent to take action to set up the Okta account for TRAQS access Username (email address).  If your enrollment email expired, please contact FINRA Operations at 1-866-776-0800 option 2 or [email protected].

What do I do if I lost my mobile device?

It is strongly recommended that you remove the lost device from your MFA settings. Enter the Okta profile screen and remove the authentication method associated with the device. Please see the MFA Enrollment User Guide for instructions.

If your enrolled device is lost and you have not enrolled in any additional methods of authentication using alternative devices, please contact NASDAQ tech support at 212-231-5180. 

Why do I have 2 Profile (Dashboard) accounts?

The NTF (UAT) and production environment for TRAQS are separate. The account 
https://mpp-test.nasdaq.com is associated with NTF (UAT) access. The account https://mpp.nasdaq.com is associated with production access.

How can I edit my personal profile data?

Your profile data can be edited at any time. Please see Section 2: How to edit the User Profile of the MFA Enrollment User Guide for instructions. Please note, the personal information section of the user profile cannot be edited.  Please have your SAA contact FINRA Operations at 1-866-776-0800 option 2 or [email protected] to update this data.

How can I add a new Security Method?

Please see Section 2: How to Add a Security Method(s) of the MFA Enrollment User Guide for instructions.

How can I remove a Security Method?

Please see Section 2: How to Remove a Security Method(s) of the MFA Enrollment User Guide for instructions.

Can I set up a push notification when using Okta Verify?

Yes, users can select the “send push automatically” at any time after enrolling in Okta verify.  Be sure to turn on notifications on your device. Your device will receive a notification asking to approve the login.  Once you select approve you will be directed to the TRAQS website as normal.

Why did I receive two MFA enrollment emails from Okta?

You received two enrollment emails because you are set up to access TRAQS in both the production and test environment. Although your Username may be the same for both environments, they require two separate enrollments. Please review the MFA user guide for further guidance.

I have forgotten my password or entered my authentication method inaccurately a few times and locked my account. How can I unlock it?

Your account will automatically unlock after 15 minutes. There are two ways to unlock your account.

  1.  You will receive an email notifying you that your account is locked. Follow the instructions in the email to unlock your account.
  2. Click the “Forgot password” OR “Unlock account” link at the bottom of the TRAQS Sign In screen.  Enter your email address in the provided box to generate a reset email.  Click on the Reset Password -OR- Unlock Account link in the email within the 8-hour expiration and answer your forgotten password questions. 

If you do not know the answers to any of your forgotten password options, need assistance with unlocking your account or any other password issues, you may call NASDAQ tech support at 212-231-5180 option 4.

What is the Okta Dashboard (profile link) to the test environment?

Users can enroll, edit their profile and log into TRAQS in the test environment using the following link https://mpp-test.nasdaq.com

What is the Okta Dashboard (profile link) to the production environment?

Users can enroll, edit their profile and log into TRAQS in the production environment using the following link https://mpp.nasdaq.com

I am an API user and would like to Manually access the API. How do I access the files? 

Users can access the API files by logging into TRAQS, selecting Manual under the API menu.  Please see the User guide for the specific facility for more information. 

I am an API user and want to access the API in an Automated fashion. How do I access the files?

Users can access the API files by logging into TRAQS to get a Refresh Token to use in your code.  The Refresh Token is located in the Programmatic window under the API menu.  Please see the API user guide for the specific facility for more information.

How long do Refresh Tokens and Access Tokens for Programmatic API downloads remain valid?

A Refresh Token remains valid for 6 months from the date of issue.  The account owner will receive an email 15 days prior reminding the user of expiration. Users must login to TRAQS and confirm their identity using their second authentication method to obtain a new Refresh Token per the instructions in Section 5 of the MFA enrollment guide.

The Access Token expires every sixty (60) minutes. Systems will need to be programmed to detect an expired Access Token and request a new one programmatically after expiration.

If you are having issues logging into the TRAQS website, please contact FINRA Operations at 1-866-776-0800.

Can I automate the process to get a Refresh Token?

No, Every 6 months the user must login to TRAQS, confirm their identity using their second authentication method to obtain a new Refresh Token

What if the Refresh Token is expiring and the primary account owner is unavailable and cannot obtain a new Refresh Token?

FINRA recommends that multiple users at your firm have API access for resilience.  In this instance another user with API access can login to TRAQS, confirm their identity using their second authentication method to obtain a new Refresh Token.

Can I have more than 1 Access Token at a time for the Programmatic API download?

Yes. You can download the file from more than one machine as long as the Refresh Token and Access Token are still valid.

400 Error

If you receive a 400 Error = 400 (400 = Bad request). The API request is most likely incomplete. Please follow the details outlined in the relevant API Specification in the Requesting an Access Token section to ensure the request includes all necessary data.

What is the new test environment URL to Access the API Download Programmatically?

The new URL is https://apidownload-ntf.finratraqs.org.

What is the new production environment URL to Access the API Download Programmatically?

The new URL is https://apidownload.finratraqs.org.

403/404 Errors

If you receive a 403 App not assigned or 404 Page not Found error contact NASDAQ tech support at 212-231-5180 option 4.

Report Suspicious Activity

To report unrecognized activity from an account activity email notification. Contact FINRA Operations at 1-866-776-0800 option 2 or [email protected].

Okta Account Token Expiration Error

If your Account Activation Token is no longer valid. Contact FINRA Operations at 1-866-776-0800 option 2 or [email protected].

Need Help?

If you need assistance using Multi Factor Authentication for TRAQS, contact the FINRA Market Operations at 1-866-776-0800 option 2.