Using Two-Factor Authentication in Cryptocurrency
How a Two-Factor Authentication App Can Help Protect Your Crypto Accounts
If you use any cryptocurrency exchange, you’ll want to use some form of two-factor authentication to secure your account.
The primary reason for this is that in crypto, unlike with say your bank account, there is no fraud protection or recovery process for stolen funds if your accounts get hacked!
Since it is up to you to secure your account, two-factor is a must.
The process of learning about and setting up two-factor can be a little complicated, but the extra layer of security is well worth it. In short, that means you should take a deep breath, set aside some time, and get this done ASAP.
Below we’ll prove a simple walkthrough (to limit the learning curve), and then explain two-factor in-depth.
TIP: Two-factor authentication is sometimes abbreviated as 2FA or called two-step verification. I’ll use the terms interchangeably on this page to reinforce the point that they are all the same thing.
Simple Guide to Securing Your Account With Two-Step Verification
The guide below will walk you through setting up two-step verification using Google Authenticator on multiple devices (what we recommend as a setup).
- Download the Google Authenticator app on at least two devices. Here is the Android link https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 and here is the iPhone link https://apps.apple.com/us/app/google-authenticator/id388497605. Putting the app on two devices will ensure you have a backup if you lose your primary device (for example if you lose or break your phone). Make sure each device you use is secured with a password, as if someone gets into the device, they will have access to your codes.
- Using a third device (ideally your desktop or laptop), create a gmail account or log into a gmail account that you want to use to set up two-step authentication. I suggest creating a new gmail account with a unique email and password. The point here is you need a Google account to set up Google Authenticator, and thus you need a gmail account.
- When logged in to your Google account, enable Google’s two-step authentication by going to https://www.google.com/landing/2step/. Enabling two-step will bring up a QR code to scan (if you don’t have a QR scanner on your device, download one (ex. https://play.google.com/store/apps/details?id=app.qrcode&hl=en_US or https://apps.apple.com/us/app/qr-reader-for-iphone/id368494609). If you want to be extra safe, take a screenshot of this QR code and keep it safe. The QR code is your private key in QR form and can be used to add other devices later on. If you don’t grab the QR now, you’ll never see it again. If you do grab it, keep it very secure. Additionally grab the backup codes. The backup codes won’t let you add another device, but they will let you recover your account down the road. Make sure to store your backups and screenshots somewhere safe (and ideally offline).
- With the QR code on the screen, bring the Authenticator app on both of your other devices. On each device, hit the plus button at the top of the screen and scan that QR code. Doing this will produce an authentication token for your Google account on each device. The token will be a string of 6 numbers that changes every 15 seconds. Both devices will show the same token, because that token is derived from your private key (from the QR you scanned)… and that QR will always produce the same tokens. You’ll use this string of numbers (this “token”), along with your username and password, to log into your Google account from now on. To move on you’ll have to put the token in, but why not try logging out and logging in again to get a hang of how it works.
- Now turn two-factor on in each account you want to use it on. Basically, you are doing what you just did with Google over and over for each account you want to secure. Each process might be slightly different, but the gist is the same. You go to the security settings of the account (for example Coinbase), you enable two-factor, you scan the QR with both devices (and take a screenshot and save the backup codes if you wish), you input the token to confirm, and then you log back in to double check everything is right.
- If you have to change phones down the road, you basically can just repeat the process (just make sure you don’t delete the old authenticator app or codes, as you’ll need to get into the account to disable and then re-enable two-factor on each account).
And that is all there is to it. Now that the how-to is out of the way, let’s discuss 2FA in-depth.
TIP: Your access tokens only exist in your 2FA app unless you export them to another device or use cloud-based backups. They don’t get sent over the internet by default, you don’t need to be connected to cell service or Wi-Fi to use them, etc. There is no way to get these codes again if you lose them unless you use a backup process! Learn more about “What Happens if I Lose My Device With 2FA on it?”
NOTE: There have been some changes in 2FA over the years. It is now more common to have cloud-based backups. For example, Google Authenticator now offers them but didn’t when we wrote this. So make sure to check if your authenticator uses them.
What is Two-Factor Authentication?
In simple terms, two-factor authentication is a second layer of security that involves a unique code being generated on an app on your phone or other electronic device.
That code, along with your username and password, is used to log into accounts on which you’ve set up two-factor.
This means, on accounts where you have 2FA set up, you’ll need both the 2FA code for that specific account and the username and password to log in!
In short, two-factor authentication means adding another layer of security to your account (which is super important in the world of cryptocurrency).
Why is Two-Factor Secure?
The reason 2FA adds security, beyond just being another password-like item to enter, is because the code is account-specific (so every account has its own code), constantly randomly generated, and in most cases only stored on the device you put the two-factor app on. Thus, to get into a given account the most current version of the code for that specific account is needed.
This means a hacker would need to get the latest iteration of your code, from your physical device, AND get your logins to get in your account!
Why Two Factor is Important With Cryptocurrency
Since cryptocurrency can’t be recovered if it is stolen in most cases, two-factor is extremely important when using cryptocurrency exchanges or online wallet services. So for Kraken, Coinbase, Binance, etc… two-factor really isn’t an option, it is a necessity.
In short, what I’m saying is you essentially NEED two-factor on all your accounts and if you don’t have it you are playing with fire.
Which Two-Factor App Should I Use?
The simplest and safest way to do two-factor is to sign up for Google’s 2-step verification. It is free and pretty much universally agreed to be a safe and secure standard.
Setting it up is as simple as following some basic directions and then scanning a QR code.
Once it is set up, you can turn on two-factor authentication in each account you want to use it on and scan the QR code given by that account (so you have your main QR code from Google that sets up your 2FA, and then a QR code for each account that sets up 2FA for that account… and then this will result in multiple codes being constantly generated on your 2FA app).
Drawbacks of 2FA
With all the above said, there are some drawbacks to two-factor authentication.
First and foremost, any 2FA app that doesn’t exist explicitly on your device presents its own security issues. Essentially if you can for example recover your 2FA data with your phone number from the cloud, like with Authy’s multi-device feature, then you put yourself at risk of sim jacking. So without going into detail, again, Google is a good option (as they don’t have this option).
Second, and to the last point, since all the safest two-factor solutions are device specific…. it means putting your two-factor on more than one device is vital! As, if you for example only have your 2FA on one device and you break or lose that device, you’ll have to go through an account recovery process with literally every account you had 2FA on.
Therefore, you should always put your 2FA on at least two devices that you wouldn’t be likely to break or lose at the same time. To do this, when you initially set up a new 2FA, scan the QR with more than one device. Then, when you set up 2FA on any given account, scan that QR code with both devices as well.
How do I add Google 2FA to another device or switch devices? You can use the export function to transfer your 2FA codes.
Screenshot your QR Codes and Save your Private Keys: If you take a screenshot of the QR code you use to set up an account, you can always scan it later from another device. This can save you a ton of time setting up multiple devices or switching devices down the road… Just keep them somewhere safe (see the next few points).
2FA Uses Private Keys: Just like cryptocurrencies use private keys, 2FA uses private keys as well. When you scan the QR code upon setting up your 2FA, you are scanning a private key.
Keep your backup codes, QRs, and Private keys (but keep them offline and safe): You’ll get backup codes when you set up two-factor, don’t lose those and don’t share them. The same goes for those QR codes or private keys you get when you set up 2FA on your accounts. It is like with a private key for your cryptocurrency wallet essentially. Meaning, you never share your codes and you always keep them somewhere safe and preferably offline (like a USB drive in a lock box).
Beware phone-based attacks (i.e. “sim jacking”): It is generally suggested that you use a 2-factor app like Google Authenticator rather than phone-based authentication, because phone-based authentication is subject to sim swap attacks (where a hacker uses social engineering to get ahold of your phone’s sim card). That said, phone-based authentication is way better than nothing, so at least enable that!
Using a strong password and unique email: It is smart to 1. use different emails for two-factor and your crypto exchange logins in case one gets compromised, and 2. to secure the account your two factor is on in every way you can. Each layer of security is another layer of protection for you.
Nothing is foolproof: No security solution is foolproof. For example, if someone gets access to your phone and gets all your information and access to your two factor and your logins and passwords, then even that second layer isn’t enough. Point being, having two-factor on an account is way more secure than not, but no security solution is perfect.
You need to access exchanges to use cryptocurrency in most cases, since you need to access exchanges you need to have some form of security on your account.
Two-factor is probably one of the best and most simple measures you can take to secure your account.
If you don’t have a preferred two-factor, use Google’s 2-step.
Yes, it is true that switching devices and storing backups is sort of stressful and time consuming, but it is actually way less stressful and time consuming than… you know, finding out your crypto account is hacked and that you have lost everything.