What is 2-factor authentication (2FA)?
Two-factor authentication (2FA), also known as 2-step verification, is a security layer in addition to your username and password. With 2FA enabled on your account, you will have to provide your password (first “factor”) and your 2FA code (second “factor”) when signing in to your account. 2FA codes are associated with a specific device (such as your phone) or your phone number.
What is TOTP?
Time-based One-Time Password (TOTP) is currently the most secure 2FA method recommended by Coinbase. TOTP is an algorithm that generates a code based on the current time and a secret key known only to you and the online service, in this case Coinbase. The act of sharing this secret key is safe from man-in-the-middle attacks as there is no communication that happens over the internet. Coinbase shows you a QR code, which is a representation of the secret key, which you then scan using an Authenticator app in your mobile device. Google Authenticator and several other authenticator apps allow you to generate TOTP codes using your mobile device or computer.
Which type of 2-factor authentication should I use?
Coinbase recommends using Google Authenticator or another offline authenticator app such as Duo or 1Password.
Since SMS and the Authy app are linked to a phone number, they can leave customers susceptible to phone number porting attacks. These types of attacks involve an attacker transferring or “porting” a victim's phone number to a device the attacker controls, effectively taking over the number and associated 2-factor authentication codes.
By using Google Authenticator or another authenticator app, the only way to access the codes is via physical access to the device running the app.
What if I don’t have a smartphone?
If you do not have a device that supports Google Authenticator or similar apps, you can install a TOTP app on your computer and configure it with the secret seed provided during Authenticator setup. Some example applications*:
What if I get a new phone or my code stops working?
When you get a new phone or lose your current one, the steps to transfer your 2FA codes to a new device will depend on how your codes generated.
You can find detailed instructions and trouble-shooting tips in this article
I prefer not to use Google Authenticator. What options do I have?
While the Google Authenticator device does not sync your 2FA information to Google servers and runs independently on your device, TOTP is an open standard that is supported by several different applications, any of which can be used for your Coinbase account.
Some example applications* that support TOTP codes:
What do I do if I have a landline on my account?
Coinbase does not support authentication by landline. If you have a landline on your Coinbase account, please refer to this page
for more information on landlines.
How can I learn more about security at Coinbase?
Refer to the following pages:
* References to third party services are provided for your information and convenience, and should not be considered advice or endorsement by Coinbase.