Ask CryptoVantage: What is the Best 2FA Method for Bitcoin Security?

What is 2FA?

Two-factor authentication (or 2FA for short), is the go-to method for securely accessing online accounts. Rather than just requiring a username and password to access an account, 2FA offers an additional layer of security by requiring the user to prove that they have access to another account or hardware device. A common example of 2FA is receiving a verification code to your cell phone through a text message.

In 2FA, the first factor is your password for the account, and the second factor can be proving that you have access to an email or another online account, your cell phone, or another hardware device. The objective is to prove your identity by two means rather than just one.

Why Use 2FA for Bitcoin?

Most people use online exchanges for buying and storing their bitcoin. Even though it’s not the best practice for storing bitcoin, it is very common for people to store large amounts of money on their online exchange accounts. Without 2FA, bitcoin is more susceptible to hacking because someone would just need to get your password to take your funds.

By using 2FA, a hacker would need to have access to your password, as well as your second authentication method, which is significantly more difficult for the hacker to do. Because bitcoin transactions are permanent and irreversible, it is even more important to use 2FA with online bitcoin accounts than it is with other financial accounts.

Not all methods of 2FA are equal. There are different methods of 2FA, each with varying levels of security which we will discuss in this article. Typically, the trade-off for each method of 2FA is security versus convenience.

What Are Bad Examples of 2FA?

• Email

Although convenient, using an email as a secondary authentication method does not offer as much security as other 2FA options. Email-based 2FA typically requires the user to enter a verification code that was sent to their email to prove their identity and access their account. If the hacker has your exchange login information, they might have your email login information as well. It is therefore possible, and not overly difficult, for a hacker to access your exchange login even with email-based 2FA. Out of all 2FA options discussed in this article, email offers the least amount of security.

• SMS

SMS-based 2FA requires you to enter a verification code that is sent to your cell phone in an SMS text message in order to access your account. Although slightly more secure than email, SMS-based 2FA has some downfalls as well. There is a misconception that an attacker would have to have access to your cell phone in order to use this 2FA method. In theory, that would be a difficult task for a hacker. However, over the last few years there have been many cases where hackers have been able to hijack a SIM card.

If a hacker were targeting you, and trying to get around an SMS-based 2FA, they might do the following: The hacker talks to your cell phone provider, pretending to be you, and asks for a new SIM card for your phone. The hacker then inserts the SIM card into their own phone. When trying to login to your exchange account, they receive the verification code to their phone rather than it being sent to you.

This method of hacking requires more effort than brute forcing an email-based 2FA, however it is still possible and has been done. In order to hack SMS-based 2FA, the hacker needs your phone number, name, and the skills to social engineer your cell phone provider into giving out a new SIM card. As you can imagine, in order for a hacker to go to this trouble, they must be targeting a specific person they suspect has significant funds in their online exchange account.

What Are Good Examples of 2FA?

• Google Authenticator

Google Authenticator is a phone app that is designed to offer a more secure method for 2FA than email or SMS. Online accounts that use Google Authenticator as their 2FA method will generate a secret key that gets stored in your Google Authenticator app. Each time you attempt logging into an account that uses Google Authenticator-based 2FA, the site generates a “time-based one-time password” (TOTP). Using the secret key and the current time, the authenticator app will generate the same TOTP password, allowing you to access the account.

Google Authenticator is a good method for 2FA because the attacker would need to know your password as well as knowing that secret key that was generated and stored in your Google Authenticator app. Or, they would need to know your password and have physical access to your cell phone.

• Hardware Authentication

Hardware-based authentication involves having a hardware device that you plug into your computer to prove your identity. You can picture the hardware device looking like a USB drive. The hardware device has a secret key that never leaves the device. When you connect the hardware device to your computer, you are proving your identity by proving that you are in possession of the physical hardware device.

Hardware-based authentication is better than Google Authenticator, because Google Authenticator is based on a shared secret key that could potentially get into the hands of the hacker, whereas a hardware-based secret key never leaves the hardware device. The only way that a properly functioning hardware-based authentication can be hacked is if the hacker were able to get access to your username, password, as well as the physical hardware device.

Hardware-based authentication methods are very similar to how bitcoin hardware wallets work, and in fact, some hardware wallets can even be used for 2FA.

YubiKey is the gold standard of hardware authentication. It’s a small device that you can store securely wherever you’d like and plug it into your computer when needed.

Key Takeaways

• 2FA requires you to prove your identity through a secondary method in addition to your username and password.
• 2FA is an important way to secure your online exchange accounts and any bitcoin you have stored in them.
• Not all forms of 2FA offer equal levels of security.
• Typically, the more convenient methods of 2FA are the least secure.
• Email and SMS-based 2FA are less secure methods of 2FA.
• Google Authenticator and hardware-based 2FA offer more security than other methods, but overall, hardware-based 2FA methods like YubiKey are the gold standard for protecting your online bitcoin exchange accounts.