Bitcoin Forum

Hi.  I would like to set up authy and google authenticator on gemini and coinbase.  I use iphone and use IOS.



Coinbase allows google authenticator but does it allow authy?  Gemini allows authy but does not allow google authenticator?  Is this true?  I did read you could still use authy on coinbase even though coinbase say they no longer allow it?



I only have experience with google authenticator as I have used it previously for sites and I find it good.  The thing is I used it on an older phone... which I do still have.  But I want to install the authenticators on a new iphone of mine.  I already downloaded google authenticator and authy on my new phone but didn't set anything up yet.  



However, the big issue is if you lose your phone or something happens to your phone, then you will have lot of issues restoring your account?  So each time you set up google authenticator with a site, there is always a secret key or something you need to write down correct?  So there is always a secret key for each site that you use it with?  But is there a secret key for your google authenticator itself?



So with authy, how does that work?  I downloaded authy on my iphone and first thing I see when I open it, it ask for my cell phone.  So I type my cell phone in to get an sms message right?  But I also hear with authy, that when you first set it up on your iphone, you need to create a password and you need to make sure you remember this password?  Thus you write it down?  But there is also a secret key that you need to write down correct... in case something happens to your iphone?  Or is it a secret key for each site you use authy with such as gemini etc.



I need to setup two factor authorization for both my coinbase and gemini accounts and want to know which authenticator I should use for each of these.  I want to also make sure I have a backup code for it.

I've used authenticator so I can answer for that one. You get a key for the site which you can write down and import into the app to use. If you lose your key, the exchange will likely be able to recover your account (or at least return your funds back to wherever they were deposited to make a new account).

It's possible to import auth codes from your phone with authenticator on it too.

Google Auth syncs with our Gmail accounts which makes it more reliable than other, you only lose access if your Gmail is compromised, about authy I'm not so sure it now supports backup.

Okay so I just notice something and think my situation might be a bit complicated.


Years ago, I had a coinbase account where my two factor authorization was google authenticator.  My phone eventually stopped working and I could not log into coinbase anymore.  I did not write down the coinbase secret key for backup.  Now eventually they was able to let me back in the account after sending in verification documents.


I remember during this time, I had also tried to use authy as my two factor authorization for coinbase but for some reason it didn't work.  But eventually I just use sms... yes i know people say you should not do this.




Now I mentioned I installed google authenticator and authy on my new iphone.  This is the phone where I will use the two factor authorization.  On my old iphone, I still have google authenticator and authy apps installed.  I notice when I open the google authenticator on my old iphone, coinbase shows up along with my coinbase email with that 6 digit code etc.  But I no longer use it and have used SMS since then.


My question is


Does that mean the coinbase in old iphone, google authenticator is useless?  Do I need to remove the coinbase account from my google authenticator first before i install the coinbase account in the new iphone for google authenicator?  I assume that is not necessary?  But isn't google authenticator associated with your personal gmail account?  So what happens if you connect it to same gmail account?  Or it has nothing to do with gmail account?  Thing is I have several gmail accounts on my phones.  Is this a big issue?



With authy... when I open it on my new iphone, it ask for a cell number.  I have a sms cell number that i can use with that.  However... when I opened authy on my old iphone... I do see coinbase account with it.  This is completely useless right?  Since I only use sms to get into my coinbase now?  But does that need to be removed?


But the bigger issue here seem to be when I click on my account on authy... it shows a cell phone number which I have access to.  But this is NOT the cell phone number I will be putting in my new iphone for Authy with gemini.  But the bigger issue is I notice right under the phone number in the authy in the old cell phone, its an email.  And I was planning to use this same email for authy on the new iphone.  Would there be any issue with this?  But when you first setup authy on the new iphone, it seem to only ask for a cell phone number.  Does it also later ask for an email?  My concern here is if I put my new SMS number and that same email... would it conflict with that authy in my old iphone since even though different phone number... its same exact email?  I don't believe I ever used that authy before.  Do I delete authy first on that old iphone

Ideally, both applications should support it. Coinbase may tell they are not supporting Authy, but according to this (https://help.coinbase.com/en/pro/getting-started/authentication-and-verification/what-two-step-authentication-apps-can-i-use), they stated they are using TOTP based 2FA. Which Authy does also support TOTP[1]. Though, take it as a grain of salt since I didn't practically testing it directly. You better try to test on both applications about it.

[1] https://www.twilio.com/authy/features/totp

Indeed, if you lost the 2FA token/key, you have to recover your accounts with a help of respective platforms.

Correct. The backup key or secret key from the platform is the thing you should write down/backup. So, if you lost it, you are able to recover the 2FA token on a new authenticator.

AFAIK, the password on Authy is required to encrypt locally your data as does to backup the data on their server. So, you have to remember it. But it will be better if you also manually back up the secret recovery of 2FA from the platform you are using.

---

One thing that is essential and necessary is to backup the 2FA recovery/secret code from Gemini or Coinbase. That is the safest thing that you should do first.

IIRC, I was once using Authy and as far as I can remember even if you registered the QR code from the same platform, even if you have already done that in the past and if you are doing it again(setting up a new 2FA), the Authy will not replace the older data, instead, it will create a brand new token/code even with a same title/description/name in the Authy.

How do I handle authy installed on my old iphone then?  Again, it has a phone number and an email connected to it.  I have no use for it anymore and want it removed.



The authy that I want to install on my new iphone which will act as my two factor authorization... I will be using a new sms number I have.  But I would want to use that same email I am using for that authy in my old iphone.  Would there be an issue with this?



Could I delete the authy account in my old iphone such as delete the account so there won't be any issue? 

When I click on security in gemini, at the moment I am using sms on it.


Under it... it shows two factor authentication



Authy app with multi-device enabled -   But it seems like you cannot click on it?  Only thing you can click on is Learn more? 


Security Key - You can click add on this one.




How do I even add authy or anything to it?  I do see API on the side but is that it then?

Where did you get this information from?! The Google authenticator app is not, and don't have to be, linked to your gmail or google account. It doesn't even need to be online to work and generate the verification codes.
You can make local back ups of your secret codes with Google auth but the advantage of using Authy is that it allows online back ups. This way, you can easily access and get your codes from different devices just by logging into your account. Besides, Authy is a bit more secure since it offers the possibility to lock the app with a pin code.

I think you are making things more complicated then they need to be.

Follow these steps:

1 - Do not touch in your old phone which has authy installed. Do not remove anything
2 - install Authy in the new phone.
3 - Enable multi device in the old phone.
4 - Log into Authy in the new device with the same account you had in the old phone..
5 - Your old 2fa codes will be there in the new phone.
6 - Disable Multi device (for security)

If you need any SMS code, this has nothing to do with authy. Authy doesn't manage SMS codes.

Just try to login on your new phone using the email. It's probably will asking you the password that you were set up in the old phone. After you set up the account, you can change the number you have registered. I have tried it, not specifically changing a phone, but formatting my phone and then relogin and does change the phone number.

But if you still want to delete your account first, see/refer to: https://support.authy.com/hc/en-us/articles/360002693873-Delete-an-Authy-account and/or https://authy.com/phones/change/. Either way, the above guideline might be worth to try.

So what I did was just enter my SMS number into my new iphone Authy.  Once I did that, I got a code sent to my same iphone since that is the new phone number I am using.  Once i entered it... it confirmed and now I see a gemini account added to my authy in my new iphone?


I then went to check my account on authy on new phone and it shows the new sms number I am using... and my email account.



Now... on authy on the old iphone... I only had coinbase added there and used another phone number and the same email that is now showing on my email on the new authy on new iphone.



So is there any issue with this?



The thing is how come when I check my gemini account on the computer... am i still using SMS at the moment for my gemini account?  There is no add authy on my gemini account on the gemini site so I am confused here.


As of right now, Im still logged into my gemini account on the computer.

Can someone tell me right now... do I have authy on with gemini as of now or not?  This is beyond confusing.


Again I clicked on authy app on new iphone and put in my new sms number.  Then i got an sms code and typed that in authy.  Right after that, it showed gemini account and shows the codes for it.  How is this even possible?  Don't I need to first add authy on the gemini.com first?  The thing is I don't even see an option to click add on it on the gemini site.  Only thing I see add is the security key.


However, I do have gemini app on my iphone logged in though.  So could that be the reason?  I am as of right now... still logged into gemini on my desktop computer.  If I log out of gemini on the desktop, will it still send me sms as my two factor authorization... or will it ask for my authy?


Again the big thing here is.. the old authy app i have installed on my old iphone... i had used an older phone number for it... but the email with that old authy... is the same email that shows up on my new authy on my new phone. 


So what do I do right now? 

Also what makes no sense about this is when I set up authy on my new iphone, they never required me to create a password.  I thought this was always required?



So right now... I just went to my security settings on gemini website.



It does show right now my current method of two factor authorization is Authy app with multi-device-enabled.  So can someone confirm here this is how it is done?  I always thought you needed to add authy on the gemini website... then you scan the qr code or something like that.



Also when I click on the authy app right now on my new iphone, it shows a 7 digit code.  Is that normal?  I thought it was always 6 digit?  At least that is what I remember with google authenticator.



Can anyone here confirm everything is correct as of now?  I don't want to sign out of gemini on my desktop and have issue later on not being able to sign back on.



Also where is my backup code on authy for gemini in case something happens to my new iphone?  This is confusing because I thought when you first set up authy on your new iphone, first thing it should ask you for beside your sms number would be create a password for backup?  How come I didn't get that?
 

You can change the number you use in your authy. I have tried changing the number I used. It's easy enough to follow the instructions when you type the new phone number. First, you open authy app and  go to settings. You'll see the email, phone number and authy ID. Second, tap the phone number and you'll see that there's a blank below the old number which you can type the new number then follow the instructions and once you complete it all then it will change once it is processed. You'll receive an email regarding the changing of phone number. If the phone number you used had already an account in authy but empty can still be used by merging it to the old phone number which you will confirm it on your email once you done the first and second step. Remember, thisjis within the app.

---

It's your responsibility to make a backup of the security key so if ever something happen to your new iphone you can still get TOTP when you add the secret key to an authenticator.

Okay so as of now, seems like authy is my two factor authentication now.  I tried logging into gemini and it ask for my authy code and entering the code does work from my phone.


But what about authy on my old iphone?  I want to completely delete it.  Can I do this by just removing the app?  Or would removing the authy app on old iphone and reinstalling authy... make it have the phone number and email that is already there right now?


Now... how do I backup authy on my new iphone?  I do see in my account


Phone Number
Email Address
Authy ID  - 9 Digit Number



Do I need to make sure i write my authy 9 digit number down for the backup?


But isn't the backup on the Accounts tab on the bottom where I have to turn on Authenticator Backups?  Once I turn that on... is that where they ask me to create a password?  So then I have to make sure I write that password on paper and store it somewhere safe in case something happens to my phone?

Since when and how do you think that syncing your data to Google Gmail, Drive make you safe?

It is not too hard to make a back up for your 2FA (Authy, Google Authenticator, Aegis Authenticator, whatever
If you leave your 2FA back up on a third party service: Drive, Dropbox, etc, it means you break the idea behind 2FA. It should be kept as privately, secretly as possible and 2FA + its back up should be stored on another/ other devices, not on a same device you use that 2FA for your account.

Aegis Authenticator, a decent alternative to Google Authenticator and Authy (https://bitcointalk.org/index.php?topic=5192978.0)

Okay.  Can someone here confirm this?


As of now, I am using authy to as my two factor authorization to gemini. 


Since I use IOS and iphone, I need to go Accounts > Turn on Authenticator Backups?


Then once I do that, type in a password and retype it again and make sure I have this?



So basically if anything happens to my iphone... as long as I have both the Authy 9 Digit ID and my password that I created, that is all that is needed to set up my authy account on another phone?


Also I hear that you need to disable multi-device as well?  So basically do the first part above.... then disable multi-device?


Now... what if you want to say install authy on two different devices though?  Can you do that... then disable multi-device?  So in a way its like okay if something happens to one of your two devices... you still have the other device.  But if something happens to both devices... well you still have the backup?  Or... you could only disable multi-device only if you have authy set up on one device?  I am reading mixed things on this part. 

Confirm what? You just typed a wall of text below, a just 3 consecutive posts before that.

We are trying to help you, but you write too much and it is confuse to understand.

yes. You should use your old phone as a back up.


If you lose both devices and disable multi device feature, you cannot access your back up.


You should disable multidevice when you have at least 2 devices logged into your alt account.
It can be your new phone and an old phone or a computer, etc.

Hi.  Well is it better to have authy installed on two devices or just one?  Because if you have it on two devices.. can you still disable multi-device or not?  I thought the answer to the second part is no... but you saying its yes?


So most people have authy installed in one device... and disable multi device right?  But they make sure they write a password and thus... you would need both the authy ID and the password in order to restore authy on another device in the future if something happen to your device?  I thought I read you should disable multi device so that way... someone can't do the sim swap since that would still be possible?



My confusion here is... how can you even disable multidevice... if you go and have authy in two of your devices?  Thus imagine new phone and old phone.  I thought you could only disable multi device only if you have authy installed in one device.

---

What about your Authy 9 digit ID?  Don't you need to write that down?  What about the password that you can create?  Don't you have to do that regardless of how many devices you install authy on?


But can you do this... Have authy installed on two devices... new phone and old phone.  Then turn on authenticator backups.  Then create your password.  Make sure you write that down.  But if you do this... would you disable multidevice or not?  Can you even disable multidevice?


I heard someone mentioned they have authy installed on two devices... and has a password for authenicator backup written down along with the Authy ID.  They did not disable multi-device.  So they basically have multiple backups?  Thus if one phone doesn't work, they have the other.  But if both phones doesn't work... as long as they have the Authy ID and authenticator backup password they created... they are fine?




But could you do the same above... but disable multi-device?  Then if something happens to both their phones... do they still have their backup of that Authy ID and authenicator backup password if they have that written down?

jerry0 has a unique ability to make even the simplest things in to unsurpassable mountains of complexity.

I have answered pretty much all his questions in this thread already. Most succinctly here: https://bitcointalk.org/index.php?topic=5379158.msg58861546#msg58861546
I have also told him how awful a choice Authy is here: https://bitcointalk.org/index.php?topic=5379158.msg58858827#msg58858827

Here's what jerry needs to do:

• Ignore all this old accounts and 2FA
• Download Tofu
• Set it up with his new accounts
• Write down the 16 character codes for each account as back ups
• Use iOS Finder to make a back up of his 2FA database

There is no good reason to ever use Authy. They have the ability to lock your out of your Authy account, thereby locking you out of every account which you use 2FA for, which is a massive red flag. And the only way to unlock your account in such a scenario? Complete KYC with them. ::) Oh, and they track your activity and share that info with third parties.

It's like someone said "Instead of keeping the keys to your house yourself, give them to me and I totally promise I'll let you use them when you need to. But I'll also let a bunch of other people know whenever you use them." It's a massive privacy and security risk. There is no good reason to use Authy when there are a multitude of open source apps which allow you to store your 2FA codes locally.

Both are Android only, while OP uses iPhone/iOS. This is why I suggested he uses Tofu, which is the best open source 2FA app for iOS: https://www.tofuauth.com/

I just found out the details about the Authy 2FA App, I've been using it for about the last 2 years and still haven't encountered any problems, because I've never deleted the app or moved it or Synced to a second phone.
But if you say that there's no reason to use Authy, maybe I'll give Aegis a try as you suggest.
Currently I am also still using Google Authenticator and Authy.
and now I'm thinking more about securing and updating my 2FA security though still haven't found any issues in Authy.

Can you even use tofu with gemini?  With gemini, it seems the only two factor you could use is authy?  It doesn't show any other two factor option you could use when on security page... which is why i choose authy.  I also notice in all those screenshots, tofu seem to show only a 6 number code for the codes?  Gemini does 7 numbers though... that wouldn't be an issue?


I just took a look at tofu on IOS app store.  I never heard of it.  Again for two factor, i only heard of is google authenticator... which i used before and authy.  I heard of microsoft authenticator as well but never heard of other ones.  But can you use tofo on any site that allows two factor?  



I want to use two factor on coinbase and gemini.  At the moment, im using authy now for gemini and it seem to be fine.  But how do i do backup in case something happens to my phone?  Is it what i mentioned where you need to write your 9 digit authy ID and also turn on authenticator backups and write a password and make sure you write that down?  Thus your authy ID and authenticator backup password... is basically your backup in case something happens to your phone?

---

Is the the correct way to backup authy?


I am currently using it with gemini without an issue.  First... make sure you go to Authy and write down the Authy ID.  


Then turn on Authenticator Backups... then you enter a password.


So you make sure you write down on piece of paper in case anything happens to your phone?


Authy ID
Authenticator Backups Password

I'm not sure if there is a conflict between the two but for me, having any of these two we are already safe. I'd used Google Authenticator for my account and it was fine. But I see a problem with this if I lost my phone as I didn't save the backup/recovery files to access just in case. Now, I was thinking to disable it and enable back to get the recovery phrases if that is possible to get a new one.
Well, the use of email verification will give help just in case 2FA won't work.

Gemini only advertises Authy for their two factor authorization.  How do you even use Tofu for Gemini then?


Also... can someone here confirm that is how I backup authy in what I posted in bold?

Seems Gemini is forcing their user to use Authy[1], AFAIK the standard TOTP code usually has 6/8 digit, as does it listed on Tofu:

So, I think you can't use Tofu for Gemini 2FA.

[1] https://support.gemini.com/hc/en-us/articles/360030060432-Why-is-it-asking-me-for-a-7-digit-token-upon-login-

Yes, but you only need to keep the backup password.

What two factor authentication are you guys using for coinbase?



Previously I used google authenticator.  Should I try to use that again or not?



Could I use authy for coinbase or not?  I want to make sure I have the backup code or whatever backup is needed in case something happens to my phone.  Also I believe google authenticator cannot be installed on multiple devices right?  So is Tofu the best option then for coinbase?

I didn't know that about Authy. I will try to move to a different software. Which one do you recommend?

I prefer to keep my 2FA in the cloud in case I lose my devices (i don't keep funds under those 2FA accounts, just a lot of accounts with basically zero balance).

Can I keep my backup codes in Aegis servers?
Authy is amazing for me, because I keep my 2Fa codes in my android and in my windows devices. I just disable new devices, and I feel very safe about it.

Can Aegis disable new devices?

What is your opinion on making monthly/weekly/daily backups of your 2FA to your windows machine (or to any other machine of your liking?). If you would be open to this idea may I suggest the following:

• 2FA application: Either Aegis Authenticator[1] or andOTP[2] - both of them are free and open source applications. There was a discussion on HackerNews[3] about Aegis where the top comments ended up comparing it to andOTP (which has been alive for more time than Aegis). Both of them also allow you to export an encrypted .json file that could be imported in the respective app (or others) in the event of you losing your device.
• Sync application: My recommendation would be to use Syncthing - a free and open source application - which, according to their website, is "a continuous file synchronization program. It synchronizes files between two or more computers in real time, safely protected from prying eyes."

What I choose to do is whenever I add a new 2FA service I export my new updated (and encrypted) .json file generated to at least 3 new locations so that I can ensure there's enough copies kept in the unlikely event of losing access to (for example) 2 of those locations. This, of course, makes me run this procedure everything I add a new 2FA code but I think that the gains that I have of such action totally outperform the risks that I may incur. I'm not sure but I think you could automate this process by exploring the features that Syncthing offers as well...

---

[1]https://github.com/beemdevelopment/Aegis (https://github.com/beemdevelopment/Aegis)
[2]https://github.com/andOTP/andOTP (https://github.com/andOTP/andOTP)
[3]https://news.ycombinator.com/item?id=25803996 (https://news.ycombinator.com/item?id=25803996)
[4]https://syncthing.net/ (https://syncthing.net/)

Aegis for Android, Tofu for iOS.

Then you should stick with Authy. Backing sensitive data up to the cloud is a bad idea, and backing 2FA codes up the cloud is an even worse idea, but if you want that functionality then you'll have to stick with Authy to do it smoothly. Good 2FA apps do not back up data to the cloud, instead supporting local encrypted back ups only. You could always upload one of these back ups to the cloud, but I wouldn't recommend it.

Aegis does not have servers. It is all done locally, which is by far the most secure way of doing things.

But you place full control of your 2FA codes in the hands of a centralized authority.

There is no way to "add" new devices without having access to your 2FA app or one of your backs up to copy the shared secret(s) from.

I have actually stopped using encrypted back ups at all. Now, instead, whenever I add a new 2FA account, I simply write down the shared secret on paper, just like I would with a seed phrase for a new wallet. If I lose or break my 2FA phone, then I can recover all my 2FA accounts from my paper back up.

The problem in doing things locally is that physical back-ups are risky as well.
A few years ago a thief broke into my house and stole my computer, tablet, external HD, and other valuables.
If my 2FA backup was there, I would lose all of them (only my phone survived this incident). I lost all my photos, for example, except those in the cloud (90% of them, thankfully).

My bitcoin private keys are really safe in physical backups and nobody could really find them, but  they are very important to me and I am not willing to put the same effort in those 2FA codes.

My 2FA codes are important, but I will just have some headaches if I lose them, I won't really lose any money.

I think RickDeckard suggestion, to encrypt files in the cloud, might be a good idea.

I would really hate to send my KYC documents to Authy if requested, so they could sell them in the black market or to third party.

Good thing about andOTP app is that it can work even on very old smartphones, this is only option that still works with below Android 5.
It works even offline without internet connection, and I suggest making offline backup whatever app you use, but I know people are using keepass for backup.
I trust any of this options much more than any cloud service.

No back up will ever be 100% safe, but local back ups are far safer than cloud back ups.

What about a piece of paper with the codes written down hidden somewhere a thief would never find them? Tape them to the underside of your refrigerator, for example. Or maybe unscrew an electrical socket and hide them inside the wall cavity? There are plenty of places in your house which would a thief would never look.

Which is why I would never use them. And even if you are never forced to send them your KYC details, they track things like your IP address, geolocation, which sites you are logging in to and when you do so, and share all that with third parties. You are essentially giving them the power to spy on all your crypto-related activities.

If you let me o_e_l_e_o, I would like to point out what Authy claims[1] that they track (we don't know if it's all of it though) just to give other users an idea of what a "simple" 2FA app can track:
I would also like to remember that just five years ago, a user reported on r/bitcoin[2] that if you had multi-device setting ON Authy wouldn't protect you in case of a hacker gained access to your number (spoofing probably):
Even Coinbase published a blog entry advising users to disable this feature as soon as possible:
Although this finding was quickly "fixed" - Authy applied a rule that, by default, would set that option to OFF to prevent abuses down the line.

By now you've probably noticed that I always prefer to use open sourced applications whenever possible and this is one of the reasons why - anyone can actually look into the code, inspect it to see if it does what it claims it does and can be freely audited by whoever feels the need to do it. Authy is like a "black hole in a container" - as most closed source apps are - in the sense that we don't know what kind of information they are actually communicating and we will actually never will know. And considering the goal of it - maintaining access to critical services of mine - I would much prefer to have that information in an application that I know is fully transparent with "me".

Closing note: If you would like to also have a 2FA application that would also provide you with password management services, look no further than Bitwarden - an open source application that can be self-hosted on your own device[4][5] allowing you to be the "holder" of any information that you so desire to keep in it.

---

[1]https://www.twilio.com/legal/privacy/authy (https://www.twilio.com/legal/privacy/authy)
[2]https://libreddit.spike.codes/r/Bitcoin/comments/6eugqd/authy_by_default_will_not_protect_you_if_a_hacker/ (https://libreddit.spike.codes/r/Bitcoin/comments/6eugqd/authy_by_default_will_not_protect_you_if_a_hacker/)
[3]https://blog.coinbase.com/how-to-increase-your-coinbase-account-security-4b7164926631 (https://blog.coinbase.com/how-to-increase-your-coinbase-account-security-4b7164926631)
[4]https://github.com/bitwarden/server (https://github.com/bitwarden/server)
[5]https://bitwarden.com/help/install-on-premise-linux/ (https://bitwarden.com/help/install-on-premise-linux/)

On those lines, here's a post I made about Authy about a year ago which also picks out some interesting snippets from their Privacy Policy:

I did not realize this, though. This is absolutely appalling. This reduces the security of your entire 2FA set up to that of SMS 2FA, which is by far the least secure method and which everybody should avoid at all costs. Phone numbers can be stolen or phished in under 5 minutes and a single phone call to your carrier.

So you go to all this effort to set up Authy, knowing that despite the flashy interface and nice promises, you are only as secure as the worst 2FA method available, they spy on you, and they can lock you out and demand KYC at any time. Unbelievable. Why do people use this trash?

Looks misunderstanding with authy available for coinbase account, I don't know about new user can't apply with Authy but I have created Coinbase account about four years ago and success connect 2fa with authy, on playtore application have red color and I use that application authy for my coinbase account. Maybe new rule have now allowed but my account still exist with using authy but have great secure with Coinbase exchange not only 2fa code needed but some SMS mobile phone number ask to input and confirm on email when each log in time.