TL;DR (concentrated takeaways)
2-Factor Authentication (2FA) is a form of Multi-Factor Authentication (MFA) that is used to identify who you are.
In
addition to “Something you know” (like a password), 2FA also provides “Something you have” (like a dynamically-generated authenticator code), or
“Something you are” (like biometrics).Correctly used 2-factor authentication is one of the strongest
defenses against account abuse and crypto theft. (But improperly-used 2FA can actually make you more of a target!)2FA code generation devices may take the form of desktop or mobile software apps, specialized
hardware, or SMS-messaging phones. You will likely end up with more than one type of 2FA
Authenticator.2FA is not a panacea, and you should be careful to follow the security recommendations of 2FA solution providers.
Backing up 2FA recovery codes is extremely important and often overlooked – 2FA recovery codes need to be backed up, too!
Why is 2-factor authentication necessary?
Cryptocurrency-related crime can take many forms, including phishing scams, malware, or simply discovering and using passwords, PINs, or seed phrases. There is no single protection that will guard against all types of threats. But the good news is that there are things that you can do to “harden” your devices and accounts and make theft and impersonation crimes much less likely. Using 2-factor authentication is one of the strongest defenses against account abuse and crypto theft.
What is “2-factor authentication?”
First, let’s review what the term “2-factor authentication” means. Authentication is the method by which you prove that you are who you say you are. A “factor” is a type of evidence, typically falling into one of three categories:
- Something that you know (like a PIN code, password, or answer to secret question)
- Something that you have (like a cellphone, authenticator app, Yubikey, smartcard, etc.)
- Something that you are (like your biometrics: fingerprint, face or voice recognition, etc.)
So 2-factor authentication is a way of identifying yourself to a device or service where you must provide 2 different factors of authentication – for example, a password, and a number from a special app that generates one-time codes (aka a “Time-based, One-Time Password,” or “TOTP”).
2-factor authentication is often referred to simply as 2FA. 2FA is a subset of multi-factor authentication (MFA). MFA could incorporate two, three, or more factors of authentication. While 2FA is the most widespread, crypto exchanges usually prefer three or more factors for highest security.
Why is it important to authenticate using multiple factors?
Using multiple different authentication factors increases security because if one of your authentication factors (like a password) is accidentally disclosed, an attacker would have to perform a completely different kind of attack in order to gain access to a second type of your authentication (like a dynamic authentication code). Put another way, if you identified yourself to an account using a few “things that you know,” it is possible that someone who gained access to a trove of information about you could successfully answer many questions of that type. With multiple-factor authentication, you are protected by the combined strength of all types of required factors.
However, the strength of 2FA varies: passwords could be weak or sloppily-stored. Cellphones can be stolen, and SMS messages can be hijacked or spoofed. Even fingerprints, facial recognition, and voiceprints can be impersonated. But if you carefully choose and protect a varied combination of identifying factors, you can make it highly unlikely that anyone could break into your accounts by pretending to be you.
As a crypto asset holder, you should get into the habit of checking your account settings for any software or hardware that you use for crypto access or secret storage, and make careful choices from the 2FA options that are available to you.
SMS as 2FA is a potential vulnerability
Industry standards no longer recognize SMS messages as a strong 2FA mechanism, due to inherent design weaknesses, including the risks of SIM swapping, SMS spoofing and hijacking, and SMS phishing. SMS authentication is ONLY helpful in 3-or-more MFA situations. The problem with SMS in a two-factor-only setup is that it is sometimes designed as a “master” factor, such that if your SIM card is swapped or stolen, your password may not be needed at all, and SMS could then be used as your sole identifying factor. We strongly recommend never to use SMS in a 2FA setup, since the number of reports of SIM hijacking methods are growing. Some SMS vulnerabilities are unpatchable due to legacy design in the GSM phone system, and also due to lax adherence to secure procedures by a highly-distributed, loosely-regulated cellular industry.
App-generated Authenticator Codes
There are many authenticator apps available through app stores from manufacturers like Authy, Google, Microsoft, and LastPass. Once installed, these apps are associated with your unique device, and can generate “one-time” codes that work with a wide variety of sites and devices that implement authentication via 2-factor authentication. Because this type of 2FA code can only be used one time and they expire quickly, they are not easily stolen or abused.
It is common for services with 2FA to allow users some choice in which type they prefer to use from a few different options.
When deciding which 2FA apps to use, keep in mind that (like any software) applications that you use for authentication should come from a trusted source, like an official app store, and from a trusted manufacturer. Some people trust large, well-known software companies like Google or Microsoft. Some people prefer to trust well-known open-source software projects, because that code is fully transparent and can be analyzed by anyone. Either of those strategies is defensible; however, do not rely on a small, unknown company, or use ad-laden 2FA apps, given the wide availability of high-quality solutions provided by well-known suppliers.
Hardware-generated Authenticator Codes
There is a friendly “gorilla” in the market landscape of hardware devices that generate 2FA codes and authentication tokens: Yubikey, made by Yubico. Yubikey has been around since 2008, and its hardware key generators are available in several form factors, including USB-A, USB-C, and NFC (Near Field Communication, a form of wireless). The number of interfaces and protocols supported by Yubikey is impressive, and they now offer a fingerprint-based Yubikey-Bio biometric device.
Other manufacturers of hardware-based authenticator codes are Google Titan Security Keys, Thetis, and SoloKeys (based on open source software). These also come in various form factors.
2FA standards are a fast-moving world
Each device or website that offers 2FA determines which types of 2FA mechanisms will work with their product. Industry alliances offer standards that developers can use in implementing products. Two well-known organizations that collaborate on multi-factor authentication standards are the World Wide Web Consortium (W3C) and the FIDO Alliance.
Examples of 2FA standards that are accepted by various crypto exchanges and devices are shown below. These can change at any time, but a quick review of the list will give you an idea of the variety that you will see accepted:
- Coinbase: Google Authenticator, Duo apps (but not Authy), hardware keys, SMS.
- Gemini: Authy, hardware keys, SMS.
- Crypto.com: Recommends Authy, also supports Google Authenticator and other time-based, one-time code generators.
- Ledger: Ledger hardware wallets can be used as a 2FA mechanism by installing the FIDO U2F (Universal Second Factor) app, installable from Ledger Live.
- Trezor Model T hardware wallets also have 2FA support (FIDO U2F and FIDO2).
Don’t forget to back up your 2FA recovery codes!
You may have noticed a theme in all of this advice about safely setting up your crypto wallets and accounts: “What if something goes wrong?” For example, what if you have installed a 2FA app on your smart phone, but then you lose your phone? If you planned carefully, your phone may have a warranty … your photos and documents may be backed up to the Cloud … but what do you do the next time that you are prompted for a code from your phone’s 2FA app?
If you paid close attention when you set up 2FA for a device or online service, you may have noticed that during the setup process, you were advised to save a short list of “recovery codes.” The reason that these recovery codes are provided is because they provide an alternative authentication mechanism that you can use in case of an emergency. If you have 2FA recovery codes, you can use one of them to authenticate to the service, and then while you are logged in, you can modify your 2FA settings (perhaps by temporarily disabling the 2FA check while you figure out what to do about your lost/damaged phone, or by setting it up to authenticate with a 2FA app on a different device). You should save these recovery codes in a safe place that’s not on the same device – you should not use a single smartphone both to run an authenticator app and as a place to store its recovery codes!
More codes to back up, really? Well, yes. After all, if you lose your phone (or if it stops working), any account services that you had set up to rely on 2FA codes from your phone are still going to need something to know that you’re really you. If you can’t provide a code from the app, a recovery code can get you in instead.
Losing your 2FA recovery codes could leave you locked out of your account
Every company that implements multi-factor authentication for access may handle the situation differently if you lose your ability to produce new authentication codes and you have also lost your recovery codes.
Some service providers have customer service staff who may agree to reset your access to your account after an enforced time delay, re-checking original identity documents, performing video verification, and/or receiving out-of-band confirmation through another known communication path. (If this is an option for you, you may still experience some agitation waiting 48 hours – or more – for an account reset, especially if crypto prices are volatile.)
But there are no guarantees that they will be willing to at all. Your ability to re-establish access to your account will depend on the policies of that service. If they have your “Know Your Customer” (KYC) information, so they have copies of your passport, your image, etc., and if you are a valued customer, they will have some motivation to work with you to grant your access again. If you are using a free service, or a service to which you are relatively anonymous, it is entirely up to the company or service whether they choose to reset your account access. This is a sobering risk.
The screenshot below shows what one Google user experienced after failing to regain access to their account that was protected by MFA.
Google Account Reset failure
Different ways to back up 2FA recovery codes
By now you understand why it is important for you to back up your 2FA recovery codes.
There is not just one way to back them up. Some people just buy additional hardware devices and keep two phones or authenticator devices, using one as a “hot swappable” alternative. That can be expensive, and means more devices to store and protect.
Google offers ways to “transfer” Authenticator 2FA codes from one phone to another, or to simultaneously install Authenticator on multiple devices. In 2023, Google Authenticator added the ability to back up recovery codes to a Google Cloud account.
Authy offers a unique and optional way to make a backup of your 2FA recovery codes: an encrypted Cloud-based backup. That’s nice of them … but to protect the recovery codes that they save to the Cloud, they ask that you set up an additional password to protect your recovery code backup. If you choose to take Authy up on their offer to store your 2FA recovery codes, it would be wise for you to store your password to that recovery code backup in your Vault12 Digital Vault.
Yubikey allows users to set up the Yubico Authenticator on multiple YubiKey devices, which can act as a backup of sorts, but they still suggest “Consider saving a copy of the QR code (or secret key) somewhere safe so you have the ability to program the credential into future backup YubiKeys, etc.”
Apple iOS 15 released an integrated iOS Authenticator app built into the operating system, and it seems that it can be backed up along with the rest of the integrated Apple device backup functions.
Vault12 is the best way to back up your 2FA recovery codes
The best way to back up your 2FA recovery codes is to save them to your Vault12 Digital Vault. Just open your Vault, click “Add Asset,” and save your recovery codes as notes, files, or images, no matter the form that they take (words, numbers, QR codes, etc.). After you place your recovery codes into your Vault, you can “set it and forget it” … with your recovery codes safely protected, you could lose or upgrade your phone as many times as you want. Then, when you want to regain access to your crypto accounts at some later date, your Vault12 Digital Vault will have your 2FA recovery codes waiting for you, allowing you to successfully navigate through your high-security authentication (then if necessary, you could reconfigure your 2FA to use codes from a freshly-installed Authenticator app).
If ever needed, your Vault12 Digital Vault could also allow your beneficiaries to simply unlock your crypto assets. To achieve that protection, ensure that your Digital Vault holds all of the information needed to access your crypto accounts or wallets. Since everyone’s digital assets are different, you might choose to write and store a note in your Vault to explain what each asset is used for. All of your crypto assets and information that you store in your Digital Vault are secure, encrypted, and conveniently kept together, giving you peace of mind.