How to safely login to Crypto exchange on web without username and password

[Cookdata]

Optimization and development always make things easier and more efficient, and crypto exchanges aren't left behind when it comes to improvement, especially when it comes to how to protect users and their income.
This is a basic guide on how to safely login to crypto exchanges without input of username and password using of integrated QRcode on the webpage. This feature is popular on few exchanges such as Kucoin and Binance but for demonstration, I will be making use of Binance.

You need to be login on the App exchange on your device to be able to use this feature.

Kindly go to your binance  web and access the login page and you will you see portal where you will be asked to login. By the right hand side, you should see an alternative login where a QRcode will be made available for scan.




Enter your Binance App that's already login on a device, click on the top right hand side of the app that has something that looks like two closed bracket. []




As soon as you scan the QR code, the web page will checked and will asked you to confirmed the login from your device.




On your device, a permission Authorization will be required. The IP address, Location, and Device should be authorized. 




As soon as you click AUTHORIZED, your will be successfully login on the web with out any input of sensitive data such as email, username, mobile number and password.

[1715407555]

1715407555

[1715407555]

1715407555

[1715407555]

1715407555

[Jawhead999]

To be honest I don't really know how QRcode works on this, in my understanding when your phone are scanning the QRcode it should be your phone are transferring your account data to the website... if your data on phone match with the website server, you will able to log in and vice versa. What I'm wondering is what data you were transferred to the website when you scan QRcode? What if you scanning QRcode in phishing sites, does the phishing sites could read your information or not?

[SquirrelJulietGarden]

QR code is only another visual display of your identity and if you breach it to others, you will lose your account. That is same like when you breach your password to others.

QR code is only more convenient to use for lazy people. If I want to log in my account, I will type my password and I don't mind to use QR code. It takes me a little bit time but I feel more safely than using QR code.

[DdmrDdmr]

I was curious as to how this login procedure actually worked. I didn’t fin a specific Binance explanation, but this site describes what’s behind what’s called a mobile-to-web cross-login with a QR code:
https://backendless.com/how-to-implement-mobile-to-web-cross-login-using-a-qr-code/

The basis is that of a kind of 2FA, involving the following steps:

The overall process consists of the following steps:

1.   The initial page of your web application makes a request to the server to generate a QR code.

2.   A custom API service generates a QR code with an encoded unique value. In this case, that value is the name of a Backendless messaging channel. The service returns the QR code and the name of the channel channelName to the web app.

3.   The web app downloads the generated QR code and displays it on the web page. Then the web app connects to the messaging channel and waits for a message. The message will be sent by the Android app later (step 5).

4.   On the Android app, a user logs in to Backendless with their user name and password. As a result of the login, the Android app receives userToken, which uniquely identifies the user and his/her session.

5.   The user using the same Android app scans the QR code from the web page screen, receives the messaging channel and sends the userToken into the channel.

6.   The web application receives the message which contains the userToken. The token can be used for the API calls made in the web app as it now will carry the user’s identity.

I’m wondering if a fake Binance web page could take advantage of the above procedure somehow, and/or whether Binance's specific topology can ensure that valid Binance channel Ids cannot be created outside of their topology.

[PrimeNumber7]

I was curious as to how this login procedure actually worked. I didn’t fin a specific Binance explanation, but this site describes what’s behind what’s called a mobile-to-web cross-login with a QR code:
https://backendless.com/how-to-implement-mobile-to-web-cross-login-using-a-qr-code/

The basis is that of a kind of 2FA, involving the following steps:

I don't think this is an implementation of 2FA, as the end-user only needs a single means of authentication to access their Binance account. Although to be fair, someone will have to be already logged in for them to gain access to their account.

 

I’m wondering if a fake Binance web page could take advantage of the above procedure somehow, and/or whether Binance's specific topology can ensure that valid Binance channel Ids cannot be created outside of their topology.

There is the potential for a MITM-type attack. The means to prevent a MITM attack is for Binance to ask the user to confirm the new device's IP address, geolocation, and device type.

[BitMaxz]

To be honest I don't really know how QRcode works on this, in my understanding when your phone are scanning the QRcode it should be your phone are transferring your account data to the website... if your data on phone match with the website server, you will able to log in and vice versa. What I'm wondering is what data you were transferred to the website when you scan QRcode? What if you scanning QRcode in phishing sites, does the phishing sites could read your information or not?

According to Binance if you receive a QR code from someone pretending as one of the Binance staff(Fake Binance staff) then they can have control of your account.

Read this https://www.binance.com/en/blog/421499824684902831/p2p/how-to-identify-and-avoid-common-crypto-imposter-scams
then go to "5. The QR Code Scam"

It seems it's not safe to use with a QR code, it would be better to use two 2FA codes than directly login with a QR code.

[cryptoaddictchie]

I've always see this actually the QR code option but of course with a lots of speculation of how dangerous even this kind of login never tried it. But thanks to OP showing this approach. Maybe I'll try it with a dummy account instead just for experience.

QR code is only more convenient to use for lazy people. If I want to log in my account, I will type my password and I don't mind to use QR code. It takes me a little bit time but I feel more safely than using QR code.

Actually this is better. This kind of option are for those who are in rush or in need of fast signing up. But totally a split time could be a big change in terms of security. So really its better to do the password one.

[WePiggy]

The more accessible your account is, the less safe it becomes. The tried and tested manner of using the scrollbar captcha + 2FA (Google authenticator) is the best option for security and simplicity. Turning off SMS authentication, and forcing 3FA for withdrawals (auth + email) has probably saved a lot of traders from a lot of losses.

For a smaller daily use trading account I guess it would be ok though, it gives quicker access for minute to minute trades