Best 2 Factor Authorization for Coinbase and Gemini

[jerry0]

Looking at coinbase, they have google authenticator.  I used it years ago with them but then my phone broke and I couldn't get into my account for a while until coinbase reverified me.  But was I suppose to write down a coinbase two factor google authenticator key?  Or was I suppose to take a picture?  Is this the preferred 2FA for coinbase?



On gemini, it seems they do not have google authenticator.  It seems authy is what they offer.  So that is what one should choose?  But when make this your 2FA, you need to write a code down right?  Or take a picture?



So google authenticator for coinbase and authy for gemini?



What happens if you have no access to your phone?  Do you need to make sure you have a backup copy of the code?



What if you have two phones?  Could you install it in both phones so in case something happens to your main phone, you still have it on your backup phone?



Want to set this up correctly for coinbase and gemini.

[1714689763]

1714689763

[1714689763]

1714689763

[1714689763]

1714689763

[jackg]

Yes you're meant to write down your secret key when you use authenticator apps. The exchange (if well known and regulated) will probably let you reset your account with 2fa enabled (especially if you have done kyc with them in the past or something indisputable - maybe phoning them or getting them to send something to your address might work too).

[Charles-Tim]

But was I suppose to write down a coinbase two factor google authenticator key?  Or was I suppose to take a picture?  Is this the preferred 2FA for coinbase?

For google authenticator, you will need to backup the QR code which can consist of some 2fa for some sites or all, depending on the one you marked or checked. Click on the three dots at the right upper corner of the google authentication app UI -> click on 'transfer accounts -> export accounts -> uncheck the ones you do not want to backup and click on 'next. The QR code pop up can be backup.

On gemini, it seems they do not have google authenticator.  It seems authy is what they offer.  So that is what one should choose?  But when make this your 2FA, you need to write a code down right?  Or take a picture?

You can use anyone you like or want, they work for one another. Do not let the name specified on a site like google or authy confused you, you can use any other authentication app of your choice.

What happens if you have no access to your phone?  Do you need to make sure you have a backup copy of the code?

Paper backup or other offline backup will be preferable. Having three offline backups in different safe locations.

What if you have two phones?  Could you install it in both phones so in case something happens to your main phone, you still have it on your backup phone?

Install on an airgapped device will be good. It is not good to have it installed on the device you are using, you should not have it installed especially the device that the exchange accounts are. If you phone is compromised, then if installed on the same phone, then the 2fa is likely also compromised with the exchange at ones so far both are accessed by the same device

Google authentication is close source, use open source one is the best as the source code is available for the public.

Example of open source authenticator:

• Aegis. I prefer Aegis
• andOTP

[jerry0]

Wait is the QR code a picture you take?  Or its numbers/characters you write?  Doesn't make sense if you take a picture of it... since well that picture would be on that phone of yours which will most likely be the phone that stops working.


How long or short is that seed phrase or code?  Can someone give me an example of how long it should look?  The thing is it can't be that much characters right?  And by that i mean like 50 plus... because you would need to write it down and make sure you it is correct and that is easy to make a mistake writing it.  And well you aren't suppose to store it online so you can't just copy/paste it to a password manager right?


I want to use two factor authorization on my phone so that would mean google authenticator or authy.

[Charles-Tim]

Wait is the QR code a picture you take?  Or its numbers/characters you write?  Doesn't make sense if you take a picture of it... since well that picture would be on that phone of yours which will most likely be the phone that stops working.

I will like you to read this:

https://www.reddit.com/r/privacytoolsIO/comments/e5qiz2/how_do_i_backup_aegis_authenticator/

I will recommend you to use Aegis, it is open source and working perfectly.

The QR code is only recommended for exporting on another device which you can also be able to do it on Aegis. For backup, on aegis, at the upper right corner -> click on the three dots -> then settings -> scroll down and click on 'export'. The files can be exported to a particular file location of your choice on your device which you can backup offline and delete from the file location. It can be in .json which will be advisable to be encrypted. It can also be in .json or .txt in unencrypted format.

[Falconer]

For google authenticator, you will need to backup the QR code which can consist of some 2fa for some sites or all, depending on the one you marked or checked. Click on the three dots at the right upper corner of the google authentication app UI -> click on 'transfer accounts -> export accounts -> uncheck the ones you do not want to backup and click on 'next. The QR code pop up can be backup.

Maybe it's a good step to take when we need to improve security for the better. We just need to have another device that isn't connected to the internet to save this backup, so I thought it would also be useful for those who like to carry their primary device with us everywhere they go. The steps are pretty straightforward, so a tutorial may not be necessary. They just need to set up another device to do it.

Wait, is it possible to export from GA to Aegis?

[Charles-Tim]

Wait, is it possible to export from GA to Aegis?

Yes, it is very possible. Using the above explained method of QR code, you can import the QR code into Aegis directly and it will work as fine. All you need to do is to press on the red + icon on Aegis and click on 'scan QR code' for the importation.

But I will prefer Aegis because I will be able to have my QR code backup in file format.

[passwordnow]

What happens if you have no access to your phone?  Do you need to make sure you have a backup copy of the code?

It is what it should be. You really have to write those codes as they'll serve as the backup whenever you lost your phone or you accidently uninstall the Google Authenticator. I have experience in GA but none with Authy. I've been using GA for years and even transferred to another mobile device with the use of those codes that I've copied. Just keep it somewhere safe and create a backup, maybe 2 or 3 more copies just in case your main copy is gone.

[o_e_l_e_o]

Authy is an awful choice. Do not use it. You are compromising both your security and your privacy if you do use it. See my previous post on this subject:

I was reading from here: https://www.twilio.com/legal/privacy/authy

If we cannot easily confirm that you are the rightful account holder of the Authy account associated with your old number, we will ask you for your phone account information and a copy of physical identification such as a drivers’ license, national ID, or passport, which we then use to confirm your claim to the account. From time to time, if there are other situations where we need to verify that you are the rightful account holder of your Authy account, our support team may require you to provide identity information like a drivers’ license, national ID or passport.

Emphasis mine. More worrying that just for account recovery, they may also lock you out of your 2FA account (and therefore all of your online accounts which use 2FA) and demand KYC "from time to time". How reassuring.

When you use an Authy token to log into an account, whether the token was generated on the app or one sent to you via your phone number, we collect and keep information associated with your login activity including information like your IP address, what application or program you logged in to, that you logged in, and when.

They track your activity across all your accounts, linking that to your email address, phone number, and IP addresses...

Over the last year, we have shared Identifiers and Internet or other electronic network activity information with third parties, as we describe in this section.

...and they share it with third parties.

I don't understand the benefit of this service. It is the equivalent of a web wallet for 2FA: You are letting someone else handle all your codes, have the power to lock you out of your accounts, and invade your privacy, all for something you can do yourself easily, freely, securely, and privately.

Google Authenticator is closed source, owned by Google (and so almost certainly spying on you), and has unnecessary difficult and complicated back up procedures. Avoid it as well.

The best 2FA app is Aegis. It does not matter if Gemini say you must use X or Coinbase say you must use Y. Neither know which app you are using, the actual process of generating your 2FA code is identical across all apps. Aegis will work just fine.

When you set up 2FA, you will be a shown a QR code to scan with the Aegis app. You will also be shown a 16 character back up code made up of numbers and letters. Write this code down on paper, along with the name of the site and account for this code since you don't get them mixed up when trying to recover them in the future.

[Russlenat]

Authy has bad feedback here but I have been using this app for years now and have never experienced any problem. What I like about Authy is you can easily link the app to your phone and desktop, so if lost one of them, it's still accessible.

But thanks for sharing @o_e_l_e_o about the reputation of Authy.. sharing is caring, I'll read it for sure.

[Charles-Tim]

When you set up 2FA, you will be a shown a QR code to scan with the Aegis app. You will also be shown a 16 character back up code made up of numbers and letters.

This may differ from operative system, I am basically using Android for this.

On Google 2FA, no secret character again along with QR code as it was before. All there now is a QR code which can be exported.

On Aegis, I also thought I have seen the secret character along with QR code before but it was not there when I checked it recently not quite long. Probably this has changed in few released latest versions.

The easy means I used to get the secret code for backup is the method I explained above, but I prefer the .txt and delete it from my device after I back it up offline. You can clearly see each secret character if the .json or .txt for the unencrypted format. Or making use of scanner directly to also reveal the secret code for offline backup, I tried a scanner and it also worked, but best to be open source as well.

[NeuroticFish]

I use Aegis for a few years now and I'm happy with it. It's as good and easy as Google Authenticator, but it's safer (encrypted) and it allows you backup the data (it even makes automatic backups) or export it.
It's also open source. You can find more info and discussion about it here: https://bitcointalk.org/index.php?topic=5192978.0
Although I'm not affiliated with them, I recommend it.

[o_e_l_e_o]

This may differ from operative system, I am basically using Android for this.

The (usually) 16 character code isn't shown by the 2FA app - it is shown by the website or service you are setting up 2FA for. It should be shown alongside the QR code, or perhaps behind a "back up" button or similar. Only if the website doesn't show you the back up code (which should be a huge red flag in continuing to trust the security of that website) would you need to extract it manually from the QR code or from your 2FA app.

On Aegis, I also thought I have seen the secret character along with QR code before but it was not there when I checked it recently not quite long.

Long press on the entry you are interested in, click on edit, click on advanced, click on the reveal button next to the secret.

[jerry0]

Can you use aegis on both coinbase and gemini though?


This is used with the iphone correct?  I do not have a yubikey.


Someone suggested don't use authy for gemini.  Well that is certainly better than sms number right?  So what do I use there?

[SquirrelJulietGarden]

Aegis Authenticator, a decent alternative to Google Authenticator and Authy (it's good because it's open source)
2FA HW security keys, Yubikey & such
[TUTORIAL] Generate 2FA with Keepass (instead of Authenticator App)
2FA-Recovering your KYC Google Auth Keys. It is valuable topic because recovery is vital. Your device can be broken, lost so you will have to recover your 2FA and access to your wallet or account.

[o_e_l_e_o]

Can you use aegis on both coinbase and gemini though?

Yes. You can use any 2FA app on any site. Whatever the site "recommends" is irrelevant.

This is used with the iphone correct?

Aegis is Android only. Tofu is the best authenticator app for iPhones.

Someone suggested don't use authy for gemini.  Well that is certainly better than sms number right?

SMS is the worst possible option. Avoid it at all costs.

So what do I use there?

Aegis or Tofu.

[jerry0]

Wait you could use any two factor authorization on coinbase or gemini even though they only recommend like two options?  But gemini doesn't allow you to use google authenicator right?  I do use google authenticator for other sites and I find it okay.


Well I have no android so can't use Aegis.  Only have iphone.  I never heard of tofu.  I took a look at apple store and it has good reviews but not that many users.  So that is no concern?


Again I was planning to use google authenticator for both coinbase and gemini until they said they didn't have it for gemini. 


But can you use google authenticator, authy or tofu on both iphones?  So you have it in both phones in case one breaks?  But what do you need to write down as the backup?  Is it like a long security key or something?  Or is it a picture?  I know you need to write this down.


The thing that is confusing is people say coinbase gives you a backup key for google authenticator but can you write it down anytime?  Now if you were to lose access to it... same with authy with gemini, you eventually can get your account back right?  Because with coinbase, that happened to me a while back and I was able to get reverified with my documents without my broken phone etc.

[The Cryptovator]

I always write all my passwords and 2FA key into my personal notebook. And for 2FA I use another mobile device that always stays in the house. I just need a scan QR code from my device to another device, so all the codes copy into the new device. So you can use multiple devices as well. Coinbase supports mobile verification as well. You may use that, but there is a possibility to bypass code by contacting mobile operators. Usually does not happen, but there is a chance. Better to do so as I did. So you will have multiple backups.

[nakamura12]

I have used google authenticator and even made a thread on how to enable 2FA on a site using google authenticator before until I know about Authy which is mentioned and used by mant forum users here until some forum users have problems with Authy. Later on, I use both Authy and google authenticator where some sites only use google authenticator to enable the 2FA. As of now, I still use both authenticator. I haven't tried andOTP which is mentioned in this thread but I will surely try it.

[Charles-Tim]

The (usually) 16 character code isn't shown by the 2FA app - it is shown by the website or service you are setting up 2FA for. It should be shown alongside the QR code, or perhaps behind a "back up" button or similar.

Never mind this, but you have just explained how this can be extracted on Aegis directly  . I never thought it could be easily extracted like that on Aegis. But definitely 'no' on Google authenticator.

This is the usual way and the best is truly to backup the secret 16 characters from the website directly. I should have commented about this along instead of only commenting on how to get it extracted through .json or .txt file while using Aegis.