SMS verify, Authenticator Apps, Passkey. Which do you prefer?

[Comeacross]

Scammers don't hack your Bitcoin, they hack where you keep your coin. This means the security of your account is now determined by the types of 2FA you use.

SMS 2FA is linked with your mobile phone number. You receive message with a code to log in to your account if you have it enabled but this method is defeated with sim swap attack. If attackers succeed in swapping your sim, they will be the one receiving the code and your account might be at risk.

Authenticator Apps are time based codes generated on your device. It has no business with your sim. It's much better than SMS 2FA but it's free from risk. Phishing sites, malwares and cloud sync makes it vulnerable too.

Passkey is linked to your device. If you have it enabled, you can only perform action on your account only if you have access to the device you registered it. It does not work with code or sim but with the security key on your device. Passkey is phishing proof by design.

If possible, activate multiple 2FA to safeguard your account. Scammers usually target the weakest link between you and your coin and 2FA is that link. You should choose wisely.

[promise444c5]

I prefer Passphrase and keeping my Seed safe..

[Zaguru12]

Do you know that 2FA most of the times uses your email address or at most some digital codes which you should keep save. All this are third party applications which are never safe. The best option still remains using custodial wallet and it should be cold wallet. Thereby you keep your phrases (seed phrase or pass phrase) safe. There is no better security than that.

[Cricktor]

Scammers don't hack your Bitcoin, they hack where you keep your coin. This means the security of your account is now determined by the types of 2FA you use.

That sounds an awful lot like you're talking about custodial crypto coin storage with accounts on some centralized exchanges or whatnotelse.

Use non-custodial hot software wallets only for small amounts of value. Only for what you could afford to loose. I don't recommend to use your internet shit daily driver computer for crypto coin wallets.

Larger amounts of value should be secured with a hardware wallet or via offline cold signing devices. Get used to do some decent security for your non-custodial wallets.


Anyway, SMS 2FA isn't quite state-of-the-art anymore and should be avoided. Some mobile phone providers have been tricked to issue replacement SIM cards that fell into possession of attackers. If that happens, your SMS 2FA is worthless as an additional security factor.

I prefer 2FA authenticators (TOTP) that are open-source and allow to export 2FA secrets and commonly I setup a 2FA on multiple devices so that I've in many cases a backup. I also write down the 2FA secret manually in case I need to recreate a 2FA account on another device.

I also like passkeys because phishing doesn't work with passkeys. I recommend to use a decent password manager that's capable of managing passkeys, too. Makes life a lot more comfortable.

[promise444c5]

Thereby you keep your phrases (seed phrase or pass phrase) safe. There is no better security than that.

That should be “And” not “Or”.. Once you use a passphrase, you need to keep both seed and passphrase Safe.


To OP, when you do not own the keys..apart from worrying about someone breaking into your storage, you need  to worry about the service keeping  those BTC safe for you. They hold your “balls” and can decide to play with it at anytime .

Reputable ones won’t really do anything without any questionable activity with your account but you can’t still trust them entirely so only put what you need for trades there.

For the security part I prefer 2FA and Authenticator at the same time on my CEXs  account.

[Mia Chloe]

~snip

2FA on authenticator applications can seem fun and quick until you lose your device and discover how much of a pain in the ass it can be. I'll Go with pass phrase it's the best 2FA seems kinda safe but people are forgetting the first 2FA authenticator that crosses their minds is the Google authenticator.

2FA isn't overly necessary and most open source decentralized softwares don't really use them in the first place. Biometrics too is something I don't fancy except it an on the go kinda hot wallet.

[Patikno]

I strongly avoid using Passkey as additional security. As far as I know, Passkey still requires an internet connection (online) to use. SMS 2FA is also less effective in my opinion, because the provider is still involved (can monitor). I prefer using Authenticator, or 2FA, that can be stored offline. However, it is important to note, that Authenticator must be synchronized with the default time on your device.

Well, everyone is free to choose additional security for their personal accounts, or for various security purposes. However, you should always be wary of things, that could expose you to cyberattacks.

So, I recommend choosing security layer, that is more difficult to hack, and I think an authenticator can be stored offline; is the best choice. Cmiiw.

[BitMaxz]

If your goal is to protect your wallet, you don't need those authenticators; instead, you can use your own cold storage wallet, which is immune to all attacks except physical ones; however, because your device is always in your home, this is much safer than using 2FA.

SMS or 2FA will not guarantee my protection; an offline wallet is still preferable, and 2FA would provide an additional layer of security.

[KiaKia]

I don't prefer SMS verification
Or Authenticator apps or even passkey

Because I don't need them to keep my Bitcoin safe.
All I need to do is keep my recovery seed offline, this is the only security protocol I need.

Remember, passkey has a problem, the moment you lost your device you aren't getting the passkey back.
The biggest mistake you can make is keeping your coins via a platform where you need your phone or sim card to access your coins.


Sim swap attack is still a big threat, avoid all these and get a open source, airgapped hardware wallet and keep your recovery seed away from the internet, that's all.

[BlackBoss_]

SMS is a quick method because you might have issues of receiving SMS messages sometimes. In addition, there is risk of SIM swap attacks: [BEWARE] Sim Port Attack

With applications for your 2FA, you will need to choose open source applications, and ignore close source applications. Google Authenticator application is close source, and I don't recommend it. There are open source 2FA applications like Aegis.

Aegis Authenticator, a decent alternative to Google Authenticator and Authy.
https://getaegis.app/

[Asuspawer09]

The best way to put it, all of these are extra layer protection, and they all work. I use all of it of different applications and wallets.

The right thing to do is to put everything on if you want to actually increase the security. The more security you have, the more difficult it is for hackers or scammers to hack your wallet or account. So there was no other way to put it, use all of it, and security for sure is going to increase as well, of course it is going to be a inconvenience for most people, convenience and security have advantage and disadvantage but if we are going to all talk about security then use it all.

And I would prefer to use it all especially on my main wallets, but there are only some that is going to be used on other platforms, and sometimes you cannot turn it on all at the same time. On Binance I think I need all most of this sms, authenticator, email etc. in order to just do a withdrawal, it is a huge inconvinient but It was worth it since it's a security.

[noorman0]

Scammers don't hack your Bitcoin, they hack where you keep your coin. This means the security of your account is now determined by the types of 2FA you use.

You said "your account," which sounds like a third-party managed wallet. So, it's wrong to say that 2FA is the only security measure. Server and hot wallets hacks, and rogue employees are all constant threats, rendering all three 2FA options useless. You'd be wrong to put any portion of your portfolio there in the first place.

[Nathrixxx]

If possible, activate multiple 2FA to safeguard your account. Scammers usually target the weakest link between you and your coin and 2FA is that link. You should choose wisely.

Once I'm activated upon the use of 2FA, I don't think there will be much issue regardless of the type I'm using to verify my identity, most people don't know that this is one of the highest way to preserve ourselves from any form of attack when this scammer try to gain access to our assets, it may be easier for them to pass through the first entry route, but obviously going to be more difficult once there is a second one to Grant them the final permission and that is where the 2FA comes in, while I prefer authentication app and passphrase.

[Bitcoin Smith]

Scammers don't hack your Bitcoin, they hack where you keep your coin. This means the security of your account is now determined by the types of 2FA you use.
~

How about starting with no custodial app, such as an exchange where you need 2FA or some kind of authentication but in self custody you get the private key or seed phrase that is generated locally and can be kept in that way forever and all you need is never ever connect the device to the internet that ensures the complete security of your wallet.

[pawanjain]

Scammers don't hack your Bitcoin, they hack where you keep your coin. This means the security of your account is now determined by the types of 2FA you use.

SMS 2FA is linked with your mobile phone number. You receive message with a code to log in to your account if you have it enabled but this method is defeated with sim swap attack. If attackers succeed in swapping your sim, they will be the one receiving the code and your account might be at risk.

Authenticator Apps are time based codes generated on your device. It has no business with your sim. It's much better than SMS 2FA but it's free from risk. Phishing sites, malwares and cloud sync makes it vulnerable too.

Passkey is linked to your device. If you have it enabled, you can only perform action on your account only if you have access to the device you registered it. It does not work with code or sim but with the security key on your device. Passkey is phishing proof by design.

If possible, activate multiple 2FA to safeguard your account. Scammers usually target the weakest link between you and your coin and 2FA is that link. You should choose wisely.

Why do we need 2FA to protect our bitcoin while we already have a seed phrase for it.
Just make sure you keep the seed phrase and you are good to go. No 2FA drama needed.
But yeah, if we talk about other things like our social media or google accounts then I do prefer 2FA using authenticator apps.

[SeriouslyGiveaway]

Why do we need 2FA to protect our bitcoin while we already have a seed phrase for it.
Just make sure you keep the seed phrase and you are good to go. No 2FA drama needed.
But yeah, if we talk about other things like our social media or google accounts then I do prefer 2FA using authenticator apps.

If bitcoins are stored in non custodial wallets, we will be able to secure our coins with wallet seed phrase and passphrase (if we want to use additional passphrase). We will not need 2FA for our wallets but wallets like Electrum provides 2FA that is a third party service from TrustedCoin but we actually don't need to use that.

If we want extra security, we can move from single signature wallet to multi signature wallet and use co-signers for securing our bitcoins better.

[HansalScripts]

I’d probably just use an authenticator app. SMS feels kinda risky with all that sim swap stuff. Passkey sounds cool but I haven’t tried it yet. Maybe do both if you can—just don’t lose your phone, lol.

[Luzin]

Remember, passkey has a problem, the moment you lost your device you aren't getting the passkey back.
The biggest mistake you can make is keeping your coins via a platform where you need your phone or sim card to access your coins.

When I am on CEX, the combination of Passkey + Authenticator App + Withdrawal Whitelist is the main choice. There are many options for Passkey, usually using biometrics (fingerprint, Face ID) or device PIN. Is it like that? Losing your device will be difficult? Yes, everything has risks, but we can prepare backup devices or secure recovery mechanisms. The more complex the security, the harder the recovery if you encounter problems. So we need to be prepared with device management and account recovery processes if your device is lost. IMO

[noorman0]

I’d probably just use an authenticator app. SMS feels kinda risky with all that sim swap stuff.

There are several authenticator apps that use mobile phone numbers for recovery, one of which is Authy (if I'm not mistaken). The security level is similar to using SMS OTP as 2FA. It's best to use an authenticator app that doesn't rely on third-party services.

[dkbit98]

I would stay away from anything connected with SMS and your phone number.
2FA apps are a good option if open source apps are used, instead of usual g00gle app.
Passkeys are a good idea but only with Yubikey (instead of face scan), but not all websites and services support them.