Two-factor authentication (or 2FA for short) is the ideal way to securely access online accounts. Rather than simply requiring a username and password to access an account, 2FA offers an extra layer of security by requiring the user to prove that they have access to another account or hardware device. A common example of 2FA is receiving a verification code on your mobile phone via a text message.
In 2FA, the first factor is the password for the account, and the second factor can be to prove that you have access to an email or other online account, your mobile phone, or another hardware device.
The goal is to prove your identity by two means rather than one.
Table of Contents:
Why use 2FA for Bitcoin?
Most people use online exchanges to buy and store their bitcoins. Although it is not the best practice for storing bitcoins, it is very common for people to store large amounts of money on their online exchange accounts. Without 2FA, bitcoin is more susceptible to hacking because someone would only need to get your password to take your funds.
Using 2FA, a hacker should have access to your password, as well as your second authentication method, which is significantly harder for the hacker to do. Since bitcoin transactions are permanent and irreversible, it is even more important to use 2FA with online bitcoin accounts than with other financial accounts.
Not all 2FA methods are created equal. There are different methods of 2FA, each with different levels of security that we will talk about in this article. Typically, the trade-off for every 2FA method is safety versus convenience.
What are the bad examples of 2FA?
While convenient, using an email as a secondary authentication method doesn’t offer the same security as other 2FA options. Email-based 2FA typically requires the user to enter a verification code sent to their email to prove their identity and access their account. If the hacker has your exchange login information, they may have your email login information as well. It is therefore possible, and not overly difficult, for a hacker to access your exchange login even with email-based 2FA. Of all the 2FA options discussed in this article, email offers the least amount of security.
- SMS
SMS-based 2FA requires you to enter a verification code that is sent to your mobile phone in an SMS text message to access your account. Although slightly more secure than email, SMS-based 2FA also has some drops. There is a misconception that an attacker would have access to your mobile phone to use this 2FA method. In theory, it would be a difficult task for a hacker. However, in recent years there have been many cases where hackers have been able to hijack a SIM card.
If a hacker targeted you and
tried to bypass SMS-based 2FA, they might do the following: The hacker talks to your cell operator, pretending to be you, and asks for a new SIM card for your phone. The hacker then inserts the SIM card into their phone. When they try to log into your exchange account, they receive the verification code on their phone instead of being sent to you.
This hacking method requires more effort than the brute force of an email-based 2FA, however it is still possible and has been done. To hack SMS-based 2FA, the hacker needs your phone number, name, and skills to engineer your cell phone provider into giving you a new SIM card. As you can imagine, in order for a hacker to deal with this problem, they must target a specific person they suspect has significant funds in their online exchange account.
What are good examples of 2FA?
- Google Authenticator
Google Authenticator is a phone app designed to offer a more secure method for 2FA than email or SMS. Online accounts that use Google Authenticator as a 2FA method will generate a secret key that is stored in the Google Authenticator app. Every time you try to sign in to an account that uses 2FA based on Google Authenticator, the site generates a “time-based one-time password” (TOTP). Using the secret key and the current time, the authenticator app will generate the same TOTP password, allowing you to access the account.
Google
Authenticator is a good method for 2FA because the attacker would need to know your password and know that secret key that was generated and stored in your Google Authenticator app. Or, they would need to know your password and have physical access to your cell phone.
- Hardware authentication
Hardware-based authentication involves having a hardware device attached to your computer to prove your identity. You can imagine the hardware device resembling a USB drive. The hardware device has a secret key that never leaves the device. When you connect the hardware device to your computer, you prove your identity by proving that you own the physical hardware device.
Hardware-based authentication is better than Google Authenticator, because Google Authenticator relies on a shared secret key that could potentially end up in the hands of the hacker, while a hardware-based secret key never leaves the hardware device. The only way a properly functioning hardware-based authentication can be cracked is if the hacker was able to access your username, password, and physical hardware device.
Hardware-based authentication methods are very similar to how bitcoin hardware wallets work, and in fact, some hardware wallets can also be used for 2FA.
YubiKey is the gold standard of hardware authentication. It’s a small device that you can safely store wherever you want and connect it to your computer when you need to.
Summarizing
- 2FA requires you to prove your identity through a secondary method in addition to your username and password.
- 2FA is an important way to secure your online exchange accounts and any bitcoins you have stored in them.
- Not all forms of 2FA offer equal levels of security.
- Typically, the most cost-effective methods of 2FA are the least safe.
- Email and SMS-based 2FA is a less secure method than 2FA.
- Google Authenticator and hardware-based 2FA offer more security than other methods, but overall, hardware-based 2FA methods like YubiKey are the gold standard for securing your online bitcoin exchange accounts.
