By Shilpa Dhar, VP of Product Management, Coinbase
At Coinbase, every customer is opted into two-factor authentication (2FA) automatically. This higher level of security is not the default for many traditional financial institutions and other technology platforms. But at Coinbase, we believe this extra step helps us keep our customers and their funds secure, including by providing protection against account takeovers (ATOs), which are usually caused by phishing campaigns, SIM swaps, or support scams.
We want to ensure that all our users can leverage secure 2FA methods to access their accounts on Coinbase. That is why we are rolling out hardware security key support for 2FA when logging into Coinbase through your mobile device (support for desktop is already available).
Have you ever signed into an account and been asked to take a second step to verify your identity? That’s 2FA. Activating 2FA is critical in keeping your online accounts secure, but not all 2FA methods are created equal. Hardware security keys are arguably the most secure 2FA method (with SMS verification being the least secure). This is because security keys don’t require you to type out a code that attackers can find ways to intercept.
Hardware security keys are encrypted USB devices that you can register with your Coinbase account as a strong form of physical 2FA. Once registered, you’ll be prompted for your security key when logging in. You then plug in the key, or tap via near field communication (NFC), to your mobile device to securely access your account.
It’s small enough to carry on your keychain, so you have access to it all the time. You can also set up multiple keys (which is best practice), so you can keep a backup in case one is lost. They will cost extra, starting around $45, but hardware security keys enable phishing-resistant security against bad actors, as evidenced by the fact that we have observed the strongest defense against ATOs for users that use security keys as their 2FA method.
How to get started
- First, you’ll need a security key that works on both your mobile device and desktop. YubiKey is a trusted brand that works on desktop and mobile devices, and provides different products depending on the type of device you have, including the YubiKey 5C NFC (Android + iOS NFC) YubiKey 5C NFC (Android + iOS NFC), YubiKey 5Ci (iOS + Android), YubiKey 5C (Android)
- Then, sign into Coinbase on desktop and go to your settings page
- Click on the security tab and scroll down to the 2-step verification section
- Select the option that says ‘Security Key’ and follow instructions to set it up
- Once you’ve completed set-up, you can use that security key as your 2FA on both the Coinbase website and mobile app (see how to use a YubiKey device here)
Now our customers anywhere around the world can secure their Coinbase accounts with a security key on both desktop and mobile. We started rolling out security key support for 2FA on mobile last month, and all eligible customers will have access by the end of year. Security keys for 2FA are not currently supported on Coinbase Pro or Coinbase Wallet.
Coinbase now supports security keys for 2-factor authentication on mobile was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.