After signing up with a crypto exchange, you’ll probably be required to configure security settings on your account and come across something called “2FA“.


In this lesson, I’m going to explain what 2FA is and why most crypto exchanges require it.


In order to log in to any online account, authentication is required. Authentication is just a fancy word for “proving the identity of a user”.


2FA is a specific type of authentication process that requires two methods (also referred to as “factors”) to verify your identity.


With so much personal information stored in our mobile devices and computers, it’s no surprise that these are prime targets for hackers or malware resulting in data breaches


A data breach is an incident where information is stolen from a system without the knowledge or permission of the system’s owner.


Because of that, most apps and websites have to beef up their security to protect their customers and their funds.


One effective way that crypto exchanges used to verify that their users are really who they say they are is to require “2FA.”

2FA provides an additional level of protection against unauthorized access to your crypto exchange account.


2FA Login


What is Two-Factor Authentication (2FA)?

A password alone is NOT enough to keep your crypto exchange account secure.


Two-factor authentication, or 2FA, is a method of improving the security of your crypto exchange’s account by requiring an additional “factor” to prove the account holder’s identity and be able to access their account.


A “factor” is a distinct form of identification needed in order to access something.


There are 3 main “factors”


Something you KNOW (e.g. password, security question, PIN)

Something you HAVE (e.g. code provided by a device)

Something you ARE (e.g. fingerprint, iris scan, facial scan, voice scan)

In 2FA, you need to provide TWO factors to authenticate.


Security questions, such as “What is your mother’s maiden name?” or  “What is the name of the street you grew up in?” are NOT considered 2FA because they substitute for your password.


Basically, the security question and your password are in the same category, which makes it NOT a two-factor.

How does 2FA work?

2FA Process


There are two popular 2FA options:


SMS

Authenticator app

SMS

Originally, entering a code sent to your phone via a text message was the primary option for the second “factor” of 2FA authentication.


2FA vis SMS


Since most people own a smartphone, it was easy for them to just provide their mobile number and receive a text message that contained a code to enter after entering their username and password.


Unfortunately, hackers have devised multiple methods to reroute your phone number and intercept these text messages (like SIM swapping).


Authenticator apps have proven to be more secure and reliable than SMS. 


Authenticator app

Authenticator apps work in a similar fashion to SMS text.


You get a code on an app on your smartphone and use it in combination with your username and password to log into your accounts.


2FA Code


The critical difference is that the code is NOT delivered over the mobile network and can work offline.


This makes it much more difficult for hackers to intercept the code.



In order for the Authenticap app to work with the account you are trying to access, you first need to “pair” the app on your smartphone with the account.

If you change phones, you have to go through the process again.


After logging into your crypto exchange’s account with your username and password, 2FA requires that you enter a One-Time Password (OTP) that is sent to your smartphone to complete your login process.


OTP is a 6-digit code generated by smartphone apps such as Authy, Google Authenticator, or Microsoft Authenticator


One-time passwords are a common possession or “something you have“. As its name suggests, the OTP only works once.


This enhances your security as it requires an additional layer of authentication from your smartphone before your login is verified. The overall strength of the authentication is the combination of the two factors.


In the scary scenario where your password has been compromised, a hacker would still need the OTP. As long as your phone is still in your possession, only you would be able to provide the OTP.


Without your physical device, the remote hacker can’t pretend to be you in order to gain unauthorized access to your account.


HOTP vs TOTP

Authenticator apps create one-time passwords (OTPs).  OTPs are unique numeric passwords generated with a standardized algorithm. And are available offline.


Some exchanges require you to choose the type of OTP standard for your 2FA setup.


There are 2 types of OTP standards:


HOTP (HMAC-based One Time Password)

TOTP (Time-based One Time Password)

The HOTP password can be valid for an unknown period of time. In contrast, the TOTP password changes every 30 seconds.


TOTP is more secure since the code is generated by your Authenticator app every 30 seconds and requires synchronization between the app on your device and the app’s server.