Implement the Second-Factor Authentication was written by Florian, and it’s included in issue #6 of 21Cryptos Magazine. To read more articles like this subscribe today. To read other free articles check out our Magazine category. Follow us on Instagram, Facebook and LinkedIn.
This article is from an earlier date and as such can contain figures that were actual at time of writing.
There’s a lot of confusion around two factor authentication options and how to implement them correctly to protect your account. This article is the second in a series of at least five articles that will address the different risks which crypto traders and HODLERs are typically exposed to in different forms. Most security articles focus on what you absolutely SHOULDN’T do and are often accompanied with complex procedures to implement and keep up.
Having been a security guy for more than a decade, my goal is to help you break up with the mindset that good security must be complex. After reading my articles, you will hopefully be inspired and motivated to implement some measures to raise the bar for your overall personal security. Don’t be afraid—I will be your friendly guide throughout this journey. All you need is a web browser, a smartphone, and about 10 minutes of time.
What is Two-Factor Authentication?
Two-factor authentication (2FA) is a method of confirming a user’s claimed identity by utilizing a combination of at least two different factors. In fact, the number of factors is only limited by the effort involved vs. usability. The process rarely involves more than 3 factors at the same time.
A well-known example of two-factor authentication used in daily life is withdrawing of money from an ATM. In this case, you (1) own the card and (2) you (hopefully) remember the pin so you can get some cash when you need it. After reading the next few paragraphs, you will be able to secure your email and crypto exchange accounts properly with little effort. The benefit of 2FA for your email account is worth the little inconvenience added. A hacker that compromises your email account won’t be able to withdraw your valuable crypto from your exchange account.
Create a Dedicated E-mail Account for Every Exchange
You will need to create a dedicated email account for each (or at least every major) crypto exchange account that you have. This might seem to be paranoid, but it will save you from a lot of worrying in case one of your account emails appears in an online breach database like Have I Need Pwned. Blackhat hackers are selling and buying password dumps. They will try to use bruteforce attacks at best, and sophisticated social engineering attacks at worst.
Check the “haveibeenpwned” site on a regular basis for your emails. It’s run by Troy Hunt as free service. An added benefit to implementing dedicated accounts is that your crypto trading activity and emails are completely separated from the rest of your online correspondence.
Exchange-specific email addresses can follow a name scheme, but they don’t need to. I recommend using a combination of things you know with some random numbers included. For example, a typical email account for the binance exchange would be “peter.shaw.binance. firstname.lastname@example.org” or “authy. peter.19132.binance.shaw@protonmail. com.” Secure that e-mail account properly and add it to your desired email clients. We will add 2FA to this account in the next steps.
Choosing the Right Second Factor
There are a bunch of different factors to pick from, such as emails, SMS, hardware tokens, and many more. Not all of them are useful to us, and some of them are even potentially dangerous when used improperly. For our use case, securing our email and exchange accounts, all you need to do is install a free app on your iOS / Android phone.
I recommend the Authy app for all of your 2FA needs. It enables you to have a single mobile app for all of your 2FA accounts. Some people prefer Google Authenticator, and while it certainly does the job, Authy is more feature-rich and allows for multidevice syncing, cloud backups, and easier account recovery should you change or lose your phone or device.
Install Authy by visiting the developer homepage and following the links from there or on your device by searching for it in your device’s app store first. Warning: Don’t install ANY 2FA app on a device that also holds your passwords! There should be a clear separation between the device that holds your passwords and the other factors. Authy offers a nice desktop app and browser integration. Don’t use them! If you want to have the convenience of having a password manager (like LastPass or 1Password) and a 2FA App (like Authy) at the same time, install Authy on a dedicated device, such as a smartphone, with nothing else on it.
The next step it to set up Authy. The overall process is pretty straightforward— open the App and follow the instructions displayed. Each time you add a device to your Authy account (multiple devices are supported) you’ll need to confirm that it’s you by using an authentication method. This can be done by using SMS, phone, or another device that’s already set up. This is especially convenient when switching to a new phone.
Configure Authy to Secure Your E-mail Account
First, log in to your Gmail account, and go to “My Account.” Next, choose the “Sign-in & Security” tab. Click “Signing in to Google.” Select “2-Step Verification.” You’ll then enter your phone number, and select a method to get codes. Click “Next”. Now you need your phone and your Authy app. All you need to do is scan a QR code, and enter the first code as confirmation. You will receive a notification via email that 2FA was successfully activated for your account. You can find a very detailed step-by-step description how to do this here.
Google does a great job on filtering spam and phishing emails, but if you are concerned about giving your data to a big corporation like Google, there are plenty of alternatives with a bigger focus on privacy. I absolutely recommend ProtonMail. The Authy homepage also has a dedicated guide for ProtonMail.
Configure Authy to Secure Your Binance Account
All big exchanges support proper 2FA— avoid all exchanges that don’t. Binance is one of the biggest exchanges nowadays. I like the fact that they display a popup to warn people to enable 2FA on their accounts. Many people choose to use the SMS 2FA option, but please don’t do that. Your telco provider is one of the weakest links, and you can’t trust the security of your phone number. Please choose “Google Authentication” as option. Never use SMS or email as second factor! Again, Authy recently published an extensive guide on their website how to configure Binance access. You can find it here.
If you didn’t register for an account yet, use a dedicated Binance email account for the registration. Unfortunately, changing the email address of an existing Binance account involves LVL2 verification, but they are usually pretty fast working on tickets.
Summary and Recommendations
Using 2FA to access your crypto exchange accounts is mandatory. Hackers are continuously trying to hijack your accounts and without additional measures, it’s only a matter of time until they are successful. By using dedicated exchange email accounts combined with Authy as second factor on a dedicated smartphone, you will have dramatically raised the bar for the bad guys.
Some More Hints to Stay Secure
- Use a dedicated phone for the Authy app. It doesn’t have to be online and any old smartphone will usually do.
- Regularly test recovery. The last thing you want to happen is to discover that your backup doesn’t work when your only device is broken.
- Disable the multi-device feature to be safe, in case of SIM swapping / cloning attacks.