Is Temu safe? Why its single-layer security should be a red flag to shoppers

Temu doesn't support two-factor authentication. Here's why that matters.
Written by David Gewirtz, Senior Contributing Editor
Temu on phone
Nikos Pekiaridis/NurPhoto via Getty Images

Update: Shortly after publication of of this article, Temu updated their site to add two factor authentication. You can find the feature under the Orders & Account menu, by choosing the Account Security option.

Given the high quantity of breach activity worldwide, the username and password mechanism for authentication is effectively worthless.

Many breaches ZDNET has documented over the years have involved the loss of personally identifiable information, and login credentials. While some passwords are encrypted at the server, some online operators still store passwords in free text. This is obviously not a best practice, but we are all too keenly aware that not all businesses practice best practices.

Also: Is Temu legit? What to know before you place an order

Other online operations do encrypt login credentials, but the encryption is still insecure. In other cases, retailers follow excellent security practices when it comes to encrypting their user data, but breaches conducted by government-sponsored hacking operations have the resources to break even excellent security.

That's where multifactor comes in. By requiring a second factor of authentication, what security experts call "something you own, versus something you know," thieves are generally unable to access accounts even if they have both the username and the password. There have certainly been unfortunate workarounds to these protections, but they are still substantially less likely to result in credential theft in the case of username and password breaches.

Also: Temu vs. Amazon: Which shopping site is best for your buying needs?

That's why if a thief gets your username and password, but does not have the authentication program running on your personal phone, they can still be blocked from gaining access to whatever online service they're attempting to break into.

In today's world, it is unconscionable for any online retailer to not have multifactor authentication available for their customers.

The Temu situation

And yet, that's where we find Temu. Much to my surprise, Temu does not offer any authentication technology beyond username and password.

Also: Stop using weak passwords for streaming services - it's riskier than you think

I have not found much discussion about Temu's security practices on its site, beyond a bunch of logos at the bottom of its page.

Screenshot by David Gewirtz/ZDNET

I did get an email with this set of claims about its security practices, and how much Temu cares for your personal information, but the fundamental fact is it does not offer a second factor of authentication.

Screenshot by David Gewirtz/ZDNET

I found this out when I tried to secure my own account. I checked all the obvious places, but was unable to find any indication of either an authentication device or SMS-based authentication.

Also: The 70+ best early Black Friday deals: Live updates

I eventually reached out through the chat interface. I first simply asked how to set up 2FA (two-factor authentication) for my account. I was told there is no option for that.

Because I used the acronym for two-factor authentication in my request, I re-asked the question with more clarity to confirm that, in fact, there was no two-factor authentication feature available. As you can see from the chat below, the agent confirmed that Temu does not offer second-factor authentication.

Screenshot by David Gewirtz/ZDNET

At this point, you need to make a choice about whether or not you want to use Temu. Do you use it with the awareness that, should there be a breach, there is no second factor to prevent access? Or do you stop using Temu until it remedies this problem?

Also: What are passkeys? Experience the life-changing magic of going passwordless

Should you wish to continue to use Temu, I recommend you take the following precautions. First, consider using a one time use credit card like a privacy.com card. Second, check your credit cards on a weekly basis as I recommended in this article. That way, should there be spurious charges, you will know right away and you'll be able to take measures to fix it.

So, given this news, will you buy from Temu? Let us know in the comments below.

You can follow my day-to-day project updates on social media. Be sure to subscribe to my weekly update newsletter on Substack, and follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

Editorial standards