Two-Factor Authentication (2FA)

Passwords alone are catastrophically insufficient for securing crypto exchange accounts. 2FA requires something you know (password) plus something you have (your phone or hardware key), making account compromise dramatically harder even if your password is leaked. The 2023 LastPass hack exposed thousands of users' passwords; those who hadn't enabled 2FA on their exchange accounts faced direct theft. With proper 2FA, stolen passwords are useless without also stealing your physical device.

There are several types of 2FA with very different security profiles. SMS-based 2FA sends a code via text message — convenient but vulnerable to SIM-swapping, where attackers bribe or socially engineer mobile carrier employees to transfer your phone number to their device. SIM-swap attacks have directly caused millions in crypto theft, including the infamous 2019 Twitter CEO Jack Dorsey SIM-swap. Time-based One-Time Password (TOTP) apps — Google Authenticator, Authy, 2FAS — generate rotating 6-digit codes every 30 seconds based on a shared secret key stored only on your device. This is far more secure because stealing it requires physical access to your phone.

Hardware security keys (YubiKey, Google Titan) represent the gold standard: a physical USB or NFC device that must be present for login. They're immune to phishing (they verify the actual website domain before signing) and SIM-swaps. For accounts holding significant crypto, hardware keys are recommended. Additional best practices: store TOTP backup codes in an encrypted password manager (not a photo on your phone), never enable SMS fallback if you've set up app 2FA, and use unique email addresses for each major exchange (harder for attackers to identify and target your accounts).