What is 2-factor authentication (2FA)?
Two-factor authentication (2FA), also known as 2-step verification, is a security layer in addition to your username and password. With 2FA enabled on your account, you will have to provide your password (first “factor”) and your 2FA code (second “factor”) when signing in to your account. 2FA codes are associated with a specific device (such as your phone) or your phone number.
What is TOTP?
Time-based One-Time Password (TOTP) is currently the most secure 2FA method recommended by Coinbase. TOTP is an algorithm that generates a code based on the current time and a secret key known only to you and the online service, in this case Coinbase. The act of sharing this secret key is safe from man-in-the-middle attacks as there is no communication that happens over the internet. Coinbase shows you a QR code, which is a representation of the secret key, which you then scan using an Authenticator app in your mobile device. Google Authenticator and several other authenticator apps allow you to generate TOTP codes using your mobile device or computer.
Which type of 2-factor authentication should I use?
Coinbase recommends using Google Authenticator or another offline authenticator app such as Duo or 1Password.
Since SMS and the Authy app are linked to a phone number, they can leave customers susceptible to phone number porting attacks. These types of attacks involve an attacker transferring or “porting” a victim's phone number to a device the attacker controls, effectively taking over the number and associated 2-factor authentication codes.
By using Google Authenticator or another authenticator app, the only way to access the codes is via physical access to the device running the app.
What if I don’t have a smartphone?
If you do not have a device that supports Google Authenticator or similar apps, you can install a TOTP app on your computer and configure it with the secret seed provided during Authenticator setup. Some example applications*:
What if I get a new phone or lose my device?
When you get a new phone or lose your current one, the steps to transfer your 2FA codes to a new device will depend on how your codes generated.
Google Authenticator (or similar TOTP app)
Please refer to this article
Authy App linked to your phone number
- If your phone number has not changed:
- SMS/Text messages will be automatically delivered to your new device
- If your phone number has changed and has the same country code as your old phone:
- Sign in to the Coinbase website with your username and password
- Click on the link "Code not working?"
- Click on "I no longer own the phone number ending in +1 xxx xxx 1234" (as an example)
- Complete the Account Recovery process by following the steps listed
- Increase your account security by enabling Authenticator: https://www.coinbase.com/security_upgrade
- If your phone number has changed and has a different country code:
- Contact us and let us know your old and new country
I prefer not to use Google Authenticator. What options do I have?
While the Google Authenticator device does not sync your 2FA information to Google servers and runs independently on your device, TOTP is an open standard that is supported by several different applications, any of which can be used for your Coinbase account.
Some example applications* that support TOTP codes:
What do I do if I have a landline on my account?
Coinbase does not support authentication by landline. If you have a landline on your Coinbase account, please refer to this page
for more information on landlines.
How can I learn more about security at Coinbase?
Refer to the following pages:
* References to third party services are provided for your information and convenience, and should not be considered advice or endorsement by Coinbase.