Part of the meaning of the cryptocurrency revolution is taking the value of money back into the hands of the people. This means securing your own cryptocurrency. However, many people do not secure their cryptocurrency well, and it is left on exchanges or on laptop/desktop hot wallets. And of course, sometimes it is difficult to avoid doing this, especially if you are a high volume day-trader or a semi-frequent cryptocurrency trader who likes to keep their cryptocurrency on hot wallets/exchanges. Well, good news, there is a way to secure your cryptocurrency better, even on hot wallets, by securing your cryptocurrency with 2FA.
If you think about other security, i.e. your personal/home security, people take many measures. For example, you try to buy/rent a house in a relatively safe neighbourhood. You put at least one good quality lock on all exterior doors, sometimes two locks (a knob lock and bolt lock). You maybe have a burglar alarm system, a fire alarm, a carbon monoxide detector. Some households also have security cameras installed too. House/property insurance to insure damaged or stolen property. With our lives becoming more deeply embedded in technology and the internet we need to become more concerned with cyber security. So, why not add a few layers of security to your digital self? Protect your personal laptop/computer, mobile phone, social media accounts, bank accounts, and most importantly, your cryptocurrency.
Typically, an account you have is associated with a username, account name, or email. This can be public knowledge, or private, it doesn’t really matter. For most cryptocurrency exchanges it is an email or username.
Then, you use a password to login to your account. Simple and straightforward. Ensure that your password is sufficiently long and complicated for added security.
But what if your password is compromised, stolen or guessed (either an educated guess or brute force trial and error)? You’re out of luck. I wish there was a second layer of security for crypto exchange account login! Oh, wait…
There are many ways and layers to keeping your cryptocurrency secure, and 2-factor authentication is one of them.
What is 2-Factor Authentication?
Great question. 2-Factor Authentication, or 2FA, is the process of having two methods (or ‘factors’) to verify (or ‘authenticate’) an account login. Adding this second factor sounds simple but it significantly improves cybersecurity. 2-Factor Authentication is a combination of at least two of the following:
(i) something you know (i.e. a password) and
(ii) something that you have (i.e. mobile phone, or physical security key).
(iii) something that you are (i.e. Fingerprint, FaceID, RetinaID)
If a hacker only needs your username and password they can hack your account from anywhere. But to break into an account that uses 2-factor authentication the hacker would need the physical second-factor authenticator. For this reason, it significantly improves security.
There are different types of 2FA, some more secure than others. I actually discuss them briefly in another post. Today we will focus on the best 2-factor authentication method, because why would you settle for something of lower quality to protect your cryptocurrency? If you are a HODLer, what might only be a few thousands of dollars today, could be tens to hundreds of thousands in a few short years. If you are a daily crypto-trader you could easily turn a few thousand into hundreds of thousands. Either way, short or long term, you should protect your digital assets.
Let’s briefly review the main different types of 2-factor authentication:
- SMS 2FA
- 2FA Authenticator App
- Universal 2-Factor (U2F) Authentication
1) SMS 2-Factor Authentication
SMS 2-Factor Authentication is when you depend on your cellular service provider. The website/account to which you are logging in will be prompted to send you a one-time use 5-8 digit code to your mobile phone via SMS text message. It was thought that since you should be physically in possession of your cell phone that this would be a good 2FA.
However, hackers are intelligent. They take advantage of human error via social engineering. Social engineering is basically the concept that a hacker will gather enough information on you that is typically readily available online to anyone who knows where and how to look/research, and impersonate you to the phone company (cellular service provider). They get the human customer service representative to change your SIM card to their phone. Then all they need is your username and password, and viola – they hack your account. Stealing all of your Bitcoin, XRP, Ethereum, ADA, EOS, NEO, Litecoin etc.
Sometimes they don’t even need your username/password. They just hack your SIM and phish you to a fake website where you enter your credentials and they steal them that way automatically entering them into the real site.
SMS 2FA was thought to be good. But it is no longer even recommended. In fact, I recommend AGAINST it. Do NOT use SMS 2FA for crypto accounts or ANY account.
2) 2FA Authenticator Apps
Authenticator apps are random number generator apps. They are apps that sit on your mobile phone, independent of your cellular service provider. It just needs a wifi connection to work, and presumably, if you are logging into your cryptocurrency account, then you have wifi.
To set up an Authenticator app the site that you want to use 2FA must support it. There are various authenticator applications out there, two of the most popular are Google Authenticator and Authy. Using an Authenticator app 2FA is significantly more secure than SMS 2FA since you must physically have the phone/mobile device. So unless someone steals your phone AND is able to hack into it (tough with biometric logins nowadays) then your accounts should be pretty secure.
For example, to set up an Authenticator app on Binance:
- You set up your account and log in.
- On your profile page you can “enable” Google Authentication (although it should work well with any authenticator app)
- Once you select this option it gives you two options:
- Scan a QR code, or,
- Manually enter the code into the app
- Copy the recovery code (do not lose, only keep on paper). You will need this if you lose or break your phone.
- Confirm information by entering your credential password and the current random number from the Google Authenticator App. You may also need to enter the SMS 2FA if you currently have that set up. Then I would promptly delete the SMS 2FA.
Google has actually stopped supporting their own Google Authenticator app. To set up 2-Factor Authentication with Google Accounts it actually offers three other things:
- SMS (not recommended)
- Google Prompts: using your phone, not SMS, but having your Gmail or Google Account on your phone allows Google to send you a notification/”prompt” that you can accept to sign on.
- Security Key – a physical 2FA device that I will discuss below (and that is the gold standard).
Notice that Google itself does not even offer “Google Authenticator” as an option for 2FA on its accounts. There are better 2-Factor Authentication apps out there:
- LastPass Authenticator
- Duo Mobile
- Microsoft Authenticator
While Google Authenticator is still popular, riding its previous success and the brand of Google, the above-listed apps have updated support and better features. Some of these features include:
- Passcode protection and
- Encrypted backup.
If your phone is stolen and hacked into, the hacker may have access to all of your accounts protected by 2FA. But if your Authenticator app is also password protected that adds an additional layer of security that a hacker must break. Encrypted backup of the codes is more of a convenience point. If you are clumsy with your phone and/or like to upgrade to the newest model regularly then this convenience may be worth it when transferring your apps over to the new phone, you won’t have to reset each account on the new authenticator app. There is some discussion that not having an encrypted backup is a security benefit, even though it is an inconvenience.
Despite this, I still have Google Authenticator because it still works. I plan on updating to Authy as well as U2F (a physical security key, discussed below).
3) Universal 2-Factor (U2F) Authentication
What is U2F?
U2F is “Universal 2-Factor” Authentication. It is based off an open, international digital security authentication standard and it serves to simplify 2-factor authentication. Its goal is to utilize one single physical security key to protect your online/digital accounts. Previously, with 2FA authentication apps you would have a random number generated for every single account, vs. simply having one physical security key for all accounts.
Universal Second Factor Authentication uses a physical security key that the user must have with them in order to log-in to their important accounts. This security key is a specialized USB key that utilizes one or both of two features:
- HDI “Human Device Interface” which is a fancy way of saying a button/key like on a keyboard that a person must press when connected.
- NFC “Near Field Communication” which seems to utilize Bluetooth technology, useful for logging into accounts on mobile devices. You enter your account username and password, and then you must confirm the second factor by pressing the key/button on the Bluetooth device. It can also utilize the same technology in credit card and debit card chips that allow the ‘tap’ feature. I think that the Bluetooth with pressing a button is more secure though.
Not all security keys have both features, with the HDI involving inserting the USB into the laptop/computer and physically pressing the security key button being the more common.
If you decide to google around U2F you will come across “FIDO Alliance” which is a group of companies/institutions developing cybersecurity technology. I cannot be 100% certain, but I believe that FIDO means “Fast ID Online”. Not to be confused with the cellular company or the dog name.
Why is U2F more secure?
U2F is more secure than other 2FA systems because of a few reasons.
- HDI (Human Device Interface)
- Biometric Fingerprint ID (limited models)
Origin-binding refers to the fact that the intended website and/or software with the account you are logging into is bound/linked to your physical security key. This means that the company developing the security key must create relationships with hundreds to thousands of third-party websites/software programs (i.e. banks, government, social media, etc). But this practically eliminates the risk of phishing, since only the real site can authenticate with the key. Any attempted authentication on a fake site that you may have been phished to would simply not work.
The Human Device Interface (HDI) refers to the fact that there is a physical action that must occur. With the other 2FA methods, whether SMS or Authentication App random number generator the software could theoretically be hacked and the number stolen. Or even, in advanced cases the 2FA verification code could be phished from a fake site and auto-inputted to the real site. You cannot phish HDI since a human must press a physical key/button.
There are only a couple of U2F security keys that employ fingerprint ID as the press/touch button. This adds to the HDI with a person-specific fingerprint ID. So even if you lose your physical security key and a hacker has your password you are still protected because they need your fingerprint too. Some people do not like this feature, while others love it. I wonder about the physical technology, what if the fingerprint scanner does not work or is faulty? Would that lock you out of your accounts until you can set up a new one? But provided it works as well as smartphone fingerprint ID, then that would be the third level of security! U3F pretty much.
The two factors above, origin-binding and HDI together greatly strengthen U2F against scammers/hackers/phishers. And when we are talking about the security of your cryptocurrency and other digital information we want the best of the best.
Moreover, U2F increases privacy since it allows users to choose, own and control their online identity. You can have an anonymous ID, or a fully transparent ID, or both (yes it can support multiple identities). It may be tougher to have an anonymous account if utilizing fingerprint ID, and so if you want to have anonymous ID then utilize a security key without fingerprint ID.
Since U2F is growing as the highest standard 2-factor authentication, more and more applications, devices, websites and institutions are adopting it. In fact, Google, the company, has ditched their own Google Authenticator app in late 2017 and adopted the Yubico (built by Yubico and Google) physical U2F security key and not one of their 85,000 employs have suffered a successful phishing attempt since its adoption. Also the UK government instituted U2F security keys for some of its employees.
What U2F security keys are recommended?
U2F security keys are recommended because it is an inexpensive and simple way to secure your important accounts. It allows for privacy, increased security and ease of use. Some models of the U2F incorporate biometrics with the HDI feature and origin-binding, which is a triplet package in addition to your original password really does make it near impossible to be phished or hacked. That is truly taking security into your own hands.
Recommended brands are Yubico, Google, Thetis and Kensington.
Yubico has multiple versions of security keys:
- YubiKey 4
- Yubico Fido
- YubiKey Neo
- YubiKey 4 Nano
Google Products for U2F:
- Titan Security Key Bundle – comes with a USB key and a Bluetooth version.
- Thetis FIDO U2F Security Key
- Kensington VeriMark Fingerprint Key U2F
Conclusion: 2-Factor Authentication is a Must
In today’s digital age, more and more of our lives are online. Some people see this as a bad thing. I do not. Being online has huge advantages for education, access to information, the ability to invest and do business, professional networking and development, and make a future for yourself. Not to mention, social media (with limitations) has greatly improved my ability to communicate with friends I do not see very often and organize family and friend events.
That being said, being online is good. But we must not be complacent. You must protect your online information. Instituting 2-factor authentication into your life will help to secure access to your most private information, both social and financial.
Utilize 2FA not only for your cryptocurrency but for your email, your laptop, your bank accounts, your stock trading platforms, your social media accounts (Facebook, Instagram, Twitter). Protect your whole life, not just your cryptocurrency.
Whether or not you use the gold standard of U2F or a still great 2FA authenticator app such as Authy, you are still doing much more to protect your crypto and your digital self.
P.S. Full disclosure – I only just set up 2FA on my Facebook account the week before writing this article. I was pleasantly surprised at how seriously Facebook is taking the security of my/your data. It has numerous 2FA options!
For one: you can set 3 to 5 trusted friends, who can be sent security codes if you are having trouble getting into your account.
Second, you can set up a 2FA as well as an additional 2FA (a 3FA?) as an added backup! They allow SMS (not recommended), Authenticator App (supporting many), recovery codes and security keys (U2F).
I personally set up 2FA with an authentication app, and plan on purchasing a security key for added security. My social life and all the information it contains is very important to me.
I hope that you enjoyed this post. Please feel free to post a question, comment etc.