Securing your crypto funds: Exchanges add support for hardware 2FA

Cryptocurrency exchanges explain different ways users can protect their crypto funds against increasing phishing attacks.
Cryptocurrency exchanges explain different ways users can protect their crypto funds against increasing phishing attacks.

Phishing scams are becoming increasingly common as criminals use emails, text messages and phone calls to trick victims into providing them with personal information. 

According to the National Cyber Security Centre in the United Kingdom, 29 million phishing scams have been reported since the beginning of 2024.

Blockchain security platform Scam Sniffer further found that over 324,000 crypto users fell victim to phishing scams in 2023. The “2023 Wallet Drainers Report” noted that around $295 million in digital assets were lost to wallet drainers in 2023.

As phishing scams rise, some cryptocurrency exchanges have started to encourage users to incorporate specific devices to protect their funds.

Crypto exchanges recommend a second security layer

Jacob Klein, director and head of trust and safety at Coinbase, told Cointelegraph that Coinbase was one of the first crypto exchanges to provide YubiKey compatibility.

While Yubico introduced YubiKey devices in 2008, some crypto exchanges began allowing customers to use them following the first major bull run in 2019.

“YubiKey devices are the most secure form of authentication that we provide,” said Klein.

According to Klein, YubiKey devices can serve as a form of two-factor authentication (2FA), which Coinbase requires.

“This would mean a user would have to use their physical YubiKey device to access their account,” he said.

This can be helpful, as Klein noted that account passwords can get lost or even breached in phishing attacks.

“With all the phishing scams taking place, the question users must consider is, ‘How can I avoid myself from getting hacked?’ This is why a YubiKey may seem like the obvious and best solution to protect crypto funds,” he said.

Recent: Crypto bull run ignites surge in job listings, salary increases

Cryptocurrency exchange Binance also introduced YubiKey devices to users in 2019.

Jimmy Su, chief security officer at Binance, told Cointelegraph, “Having physical access to the Yubikey is what makes it the most secured 2FA method. The only way an attacker can bypass this is to gain access to YubiKey. This is in contrast to passing a one-time-password code via SMS or email, which is much more susceptible to phishing attacks.”

Passkeys can also protect against phishing attacks

While YubiKey devices may be one of the best measures to protect against phishing, crypto exchanges have recently adopted newer solutions for users.

For example, Klein shared that Coinbase supports a new form of MFA called “passkeys,” which are “a form of user authentication that uses a cryptographic technique linked to a user’s device, like their smartphone.”

According to Klein, any Coinbase user can turn on the passkey option when accessing their account.

Khaja Ahmed, the chief information security officer at cryptocurrency exchange Gemini, told Cointelegraph Gemini also recently released support for passkeys, stating, “Since passkeys don’t involve an external physical device, they are somewhat more convenient than a physical YubiKey.”

Tom D’Eletto, head of product at crypto security platform Arculus, told Cointelegraph that while software passkeys are a step in the right direction, a hardware-bound passkey — whether it is a USB dongle or an NFC-enabled card — is the gold standard for security.

D’Eletto explained that “FIDO2” is an open standard used by both passkeys and YubiKeys. He shared that Arculus recently implemented its own FIDO2-certified keys, which come in the form of a metal credit card.

The first YubiKey using the FIDO standard was released in 2014.

“USB hardware keys [...] have not achieved mainstream mass adoption despite being on the market for many years,” said D’Eletto. “Arculus puts a FIDO2 authenticator on a metal credit card form factor, allowing people with an Arculus authenticator to simply tap their card to the back of their phone to authenticate.”

D’Eletto said this provides users with a more familiar experience: “Think of this like an ATM experience — when you go to an ATM, to access your account, you use your PIN and your bank card. Arculus allows the same flow and secure authentication on your phone.”

Protection against phishing scams, but not much else

Shahar Madar, vice president of security and trust products at Fireblocks, told Cointelegraph that it’s essential to understand that a YubiKey and similar physical devices do not hold a user’s wallet or private key.

“It is purely used by a wallet or an exchange to authenticate the end-user and receive their authorization for a transaction,” said Madar.

Madar said these devices’ most compelling use case is to mitigate end-user account takeovers. While this can protect users against phishing attacks, Madar emphasized that a YubiKey or passkey cannot protect against a cryptocurrency exchange hack.

Recent: AI token prices soar: Is it all hype, or is there real potential?

With this in mind, crypto users may want to consider keeping funds on a hardware wallet. Singapore authorities also recently recommended using hardware wallets for security against wallet drainer attacks.

Yet, hardware wallets are also prone to unique challenges. For instance, if a hardware wallet user were to lose their private keys, their crypto funds would likely become unrecoverable.

Klien noted that a YubiKey associated with a Coinbase account can be beneficial in this instance. “If a user were to lose their YubiKey device, they could still get back into their Coinbase account, as there is a method users can go through to regain account access,” he said.