Bitcoin Forum

Recently I have been receiving emails that someone is login in into some of my exchange accounts that I didn't activate my 2fa settings. Although I don't have money In them, but now I see how unsecured they are without the 2fa settings being activated. So my advice to you is to activate your 2fa settings in any exchange you are trading on to avoid unwanted entries or hacking. Be safe

That is why it's advisable to use the two-factor authenticator to keep your any exchanges account safe and always use a unique password for every exchange because there is a possibility that one of the exchange is compromised. So don't keep using one password for all exchanges or any website.

Check this thread below to keep your account safe.

- [Guide] Stay safe when dealing with Exchanges. (https://bitcointalk.org/index.php?topic=5054545.0)

Also, beware on Phishing this might be the reason why someone knows about your credentials.

Check this guide.

- [GUIDE] Use this for identifying Scam/Phishing Websites & Exchanges in Crypto (https://bitcointalk.org/index.php?topic=5122515.0)

Not only on your exchange accounts, but all the websites you use in general that as either money, or sensitive personal information. Having 2FA is seriously a very small price to pay(just a slight hassle), in exchange for significantly increased security.

Also, use Google 2FA and not Authy.

What do you find specifically wrong with Authy to discourage its use?

I personally went from Google 2FA to Authy in order to be able to clone my 2FA setting on multiple devices in case my phone was either stolen or ended up broken. Of course you should also keep the backup code provided by each site, but I find Authy’s backup feature interesting.

Arguably, one could also vouch precisely against this feature, since the backup feature itself, even if encrypted as it is, could potentially be exploited at some point.

Yes it's true that Google 2FA doesn't have a backup feature that will let you transfer from your phone to another phone if that case you mention might happen. I also don't see any much problem with google 2FA if a person is not lazy to do the things you need to de when keeping a backup of the 2fa code in case your phone is broken or stolen. Since the time I know about authy i've been using it until now that I also went from google 2fa to authy but I still use google 2fa or in short I use both authy and google 2fa and having a android emulator in the computer for the google 2fa backup.

I should've worded that more clearly. It's not that I discourage the usage of Authy, it's just that I far recommend the usage of Google's 2FA app; and that's because with Authy, your backup is stored in the cloud. Yes, I think it's secure as it's surely encrypted, but I still find it inferior security wise to Google's 2FA due to this reason.

tldr; Google 2FA > Authy > No 2FA at all, and backup your Google 2FA codes on paper

You can import the 2FA to another phone if you've written down the backup code.

Anything is better than Google 2FA (Google Authenticator).

I personally prefer andOTP (unfortunately Android-only) or Authenticator Plus. Both are open source, work well and have backup options (to anywhere you want).

Well, Authy has been exploited before, see this : https://99bitcoins.com/which-cryptocurrency-sites-are-impacted-by-authy-2fa-security-exploit/

and also

https://bitcoinist.com/authy-vulnerability-exposed-users-affected/

I also do not trust Google 2FA  ::)  - https://shahmeeramir.com/4-methods-to-bypass-two-factor-authentication-2b0075d9eb5f?gi=42d81178d781

https://techcrunch.com/2018/05/10/hacker-kevin-mitnick-shows-how-to-bypass-2fa/

I agree it is better to have a second layer of protection, but it is not to say that these technologies are bulletproof.  ;)

It is true that using 2FA is provide extra security, but as other say it is not something that is 100% safe. In some cases of hacking user 2FA is just bypassed, and then user ask how something like that is possible. Hackers always work on cracking such security services because they know most users think that 2FA is some kind of ultimate protection.

I just read how hackers can bypass 2FA by using phishing, and I will quote most interesting part :


So when it comes to crypto exchanges users should be especially careful how they use 2FA, it can be safe until the moment when you run into the trap like posted above.

Did they successfully log in to your accounts or just an attempt?

At most of the cases, even without an activated 2FA, there should be some necessary steps required before a successful login like email or phone confirmation especially in an unrecognized device or IP.

And ever wonder why those hackers know that you have an account at the specific exchange? Stay out joining a mailing list at random sites.

I would like to highlight one think "Please check the URL of the browser before entering the credentials and 2FA". I had faced this once, where I was login in to an exchange and the URL was changed(I had not noticed) and I had entered my credentials and 2FA and was hacked. When I noticed that the URL was wrong, I logged off but, I was hacked :-\

Please be careful while login. Keep stronger password and please do enable 2FA.

Even 2FA isn't secure these days, although there's no more safe way to protect your account. In bittrex (probably, can't remember the name), someone lost his 2k EUROS even though he had 2FA set.

I do think that 2FA is good, and play key roles to protect exchange's user accounts, beside security of users' devices. However, only 2FA of exchange account is not enough.
I do think that crypto investors/ traders should do two-hierarchial 2FA protections:
- One for their exchange account.
- One for their email that used to register account on exchange.
It is very important to do this step:
- Don't log in exchange account and emails on same devices.
Example:
If you have an email that always log in on your phones/ tablets, whatever, you should not log in your exchange account on that device.
Hackers can hack one of your devices, but it is too rare to hack all of your devices.
Personally, I never log in my emails / exchange accounts on mobile devices, just for security, and just in case.
(Hackers can hack my mobile devices, when my kids play on my phones, and unintentionally do stupid things, but they will get nothing, because I don't store any private details on my phones).

Dont forget your recovery phrase too,in case someting happens to your device.

I've received various notifications that one of my exchange account (no balance) has been attempting to log in different countries. I might be ignorant before of logging in some forms before but now I'm more careful.

2FA really helps for me, I use google auth and at the same time if the exchange you use has other 2FA option, do it. Also be careful in websites that you sign up.

I would like to highlight one more thing it is always better to have 2FA enabled on our Email accounts as well. As rest password or withdrawal confirmations of few exchanges are done through email.

Using 2fa is very necessary because hackers will most likely be able to get into our account by cracking our passwords or misuse of our data on the internet. 2fa prevents the first stage of a hacker if he manages to get an access password from the account itself.

Important note:

2FA is essential for your important accounts. Sure, you have to activate 2FA feature for your accounts.

Steps to secure your accounts and money with 2FAs:
- Creating account.
- Don't send money to new registered account.
- Activating 2FA feature (write down 2FA codes before clicking on button to activate that feature)
- Uninstall 2FA softwares or create a new account in that software with 2FAcode backup
- Using that 2FA code backup and try to log in your account to check that you write down 2FA code correctly or not.

If you can log in your account, it means you write down 2FAcode correctly, and you will be safe next time by using this in case you lose your phones.

It is dumb to backup 2FA code, but write it down incorrectly and not recheck/ retest it, and backup is pointless in case you lose your phones.

The best 2FA app is Authy because of its backing optiona that you cant find on google Auth app,once google auth app is broken its goodbye to all your auth codes and you will lose access to your exchange account

The best one, Authy or whichever app, will not totally protect you from threats, if you are carelesly using your devices and not carefully backup your 2FA codes, and store backups safely.

Thank you for your advice. Do we believe that 2FA is strong enough though? I thought that is what became compromised during the Binance hack

During a hack of a exchange it is usually the accounts that don't have 2FA enabled that get emptied. Those that do are safe. The only way to bypass 2FA is to replicate the SIM card and get the 2FA codes sent to the duplicated SIM card.

I am not sure how someone would hack your F2A, somehow reroute the code to the hacker somehow? I think F2A is pretty safe. Ledger is basically an advanced F2A and the new mewconnect also acts as an advanced F2A
I am not sure if anyone has ever been hacked using F2A. It would be interesting to find out. Maybe someone who knows more then us can answer us?

You mean 2FA, right? He is talking about SMS based 2FA, which is a terrible idea. Have you never seen this? https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124

2FA is not enough to secure your accounts, and more importantly secure your accounts on exchanges by yourself is not enough. Exchanges can be hacked, and you are unable to secure exchanges by yourself.
In a nutshell, activating your 2FA on exchanges is good step to enhance your accounts and your funds store on exchanges if you want to trade.
Whenever you don't have plans to trade, ie. when market turns into long-term bearish market, you should withdraw your funds from exchanges.
There you go:
Newbies - Read before using exchanges or investing (https://bitcointalk.org/index.php?topic=5178747.0)
Electrum wallet - Update safely and avoid phishing wallets? (https://bitcointalk.org/index.php?topic=5178675.0)

Third party authentication recorded hacked and there are some ways to hack it actually.

4 Methods to Bypass two factor Authentication (https://shahmeeramir.com/4-methods-to-bypass-two-factor-authentication-2b0075d9eb5f)