Bruno Krauss
Anyone who has been involved with cryptocurrencies will most likely have come across “2FA”. The term refers to two-factor authentication. It is one of the most important measures for securing cryptocurrency wallets and customer accounts.
There are different methods, which all have one basic idea in common: In addition to the password and username there should be another factor as part of the login procedure. Therefore, 2FA methods are often included in the standard repertoire of crypto exchanges that want to offer their customers a particularly high level of protection for their deposits.
However, there are many different methods to choose from and each of them has its advantages and disadvantages. In this article, we would like to introduce you to the most important methods and how their use can benefit you.
Two-factor authentication implies that two independent components are required for login. An example of this is your bank card and the corresponding PIN. Both are two independent components that are required for authentication. If one of the two is lost or unknown, the login procedure fails.
All 2FA methods are a form of multi-factor authentication. They are used in connection with crypto, among other areas, because if the username and password of certain accounts become known, cryptocurrencies can be accessed and thus sometimes irretrievably stolen and lost.
Their greatest advantage is therefore to form a last line of defense if, for example, an attacker has succeeded in a phishing attempt or has introduced a virus into the user’s system. He might have captured the username and password but without access to the 2FA method, he remains locked out.
The biggest disadvantage is the handling of the method and the lesser comfort. If you lose your 2FA secret, you urgently need access to backups. If you don’t have the necessary backup at hand, you can’t log in for the time being. The result is that you trade security for reduced usability. 2FA methods can be divided into three categories:
Many 2FA methods used in connection with cryptocurrencies can be assigned to the first category as a specific token is typically required.
This is a standard method that is often activated by default after opening a customer account with an exchange, for example. The provider asks for the customer’s mobile phone number and email address during the account set-up process and uses one of the two options as 2FA.
When the customer logs in to the account, after successfully entering his password and username, he is sent a code that has a one-time validity and cannot be used again after a few minutes. Only after entering this code can the customer log in. A code is usually also sent when the customer wants to make changes to his account or withdraw cryptocurrency.
Reception via SMS is comparatively secure although theoretically there is always the possibility that an attack surface is created here via so-called SIM swapping. If the code is sent by e-mail there are risks. This is because the same methods that criminals use to compromise passwords and usernames can also be used to obtain access data for the e-mail account.
In summary, we could say that both methods are better than no 2FA at all but overall SMS and e-mail perform significantly worse compared to other methods.
A one-time password or OTP for short, is an app that generates new passwords every 30 seconds using a secret key. This secret is known only to the rightful owner of the account. During the login procedure the provider checks whether the one-time password is correct or not.
In principle, this hurdle can only be cracked if one gains access to the smartphone on which the OTP app is installed or knows the secret. One advantage is that the secret can be read on different devices, such as a second cell phone. The disadvantage is that you have to take care of your backup of the secret because if you lose the device, you can’t restore it.
In case of a total loss, the only option left is to ask the provider for a reset, which usually involves extensive checks. The most popular OTP app comes from Google but there are alternatives, too.
A YubiKey is a piece of dedicated hardware used as a token for two-factor authentication. The key can be connected either via USB, via NFC or via a Lightning interface. The device can be set up as a 2FA method or alternatively used as an access key to log in without a password and username. A YubiKey is a very secure method from a technical point of view.
However, a bottleneck is finding providers that accept the YubiKey as a 2FA method. In addition, restoring access after losing the device is much more problematic than with an OTP app because a new YubiKey is required and has to be set up again. As a precaution, it makes sense to set up a second YubiKey at the beginning as a backup and to store it in a safe place. In case of loss of the primary one you save yourself a lot of work and stress.
This is a 2FA method supported by the Ledger hardware wallets, among others. Since the devices are considered secure, the 2FA secret is well protected. However, you need constant access to your wallet in order to use the app.
Similar to YubiKey, not all crypto providers support FIDO U2F. However, the app can be used with Facebook, Google, Dashlane or Dropbox, for example. Another advantage is that the wallet seed also restores the 2FA secret. Therefore, a backup covers both and secures access to the wallet. Last but not least, several devices can be equipped with the 2FA app if more than one hardware wallet is in use.
Written By
Co-founder and CTO Bruno is a crypto native. Long before the public hype around Bitcoin, Ethereum & Co, Bruno was already active in the crypto field. The idea for ReWallet came to him a few years ago when he lost access to his own wallet.
Bruno KraussLosing the passphrase for a Ledger hidden wallet is a significant issue for crypto users, but it’s also a fairly common occurrence. Whether you lost …
Read Article
Bruno KraussThe “hidden wallet” on SecuX’s hardware wallets is a great way to add an extra barrier between cryptocurrencies and potential thieves — unless users …
Read Article