Crypto accounts are high-value targets
There’s no “undo” button for cryptocurrency. If someone gets into your exchange account and transfers your funds out, that money is almost certainly gone. No chargeback, no bank fraud department, no reversals.
This makes crypto exchange accounts some of the most important places to enable two-factor authentication. Both Binance and Coinbase support TOTP-based 2FA through authenticator apps, and there’s no good reason not to turn it on immediately.
If you’re not sure how authenticator codes work, What is TOTP? explains the mechanics.
What you’ll need
- An account on Binance, Coinbase, or both
- An authenticator app (Google Authenticator, Authy, 1Password, or any TOTP app)
Setting up 2FA on Binance
1. Log into Binance and open security settings
Sign into your Binance account. Click your profile icon in the top right and select Security from the dropdown. You can also navigate directly to the security settings page.
2. Find the authenticator app option
In the security settings, you’ll see a section for “Authenticator App” or “Binance/Google Authenticator.” Click Enable next to it.
Binance may prompt you to verify your identity first via email or SMS if you haven’t set those up.
3. Install an authenticator app (if you haven’t)
Binance will remind you to install an authenticator app. If you already have one, skip this step.
4. Save the backup key
Before scanning the QR code, Binance shows you a text-based secret key. This is your backup. Write it down or save it in your password manager.
This is a step Binance handles differently from most services. They show you the backup key before you scan the QR code, not after. Don’t skip past it. If you lose access to your authenticator app, this key is how you restore your Binance 2FA on a new device.
5. Scan the QR code
Open your authenticator app, add a new account, and scan the QR code Binance shows you. You’ll see a new entry generating 6-digit codes every 30 seconds.
6. Verify the setup
Binance asks you to enter your account password, an email or SMS verification code, and the 6-digit code from your authenticator app. Enter all three and click Submit.
2FA is now active on your Binance account.
Binance-specific notes
- Binance often requires the authenticator code for withdrawals, not just logins. This is a good thing.
- If you need to reset your 2FA (lost phone, new device), Binance has a reset process that includes a security hold period, usually 24 to 48 hours during which withdrawals are disabled. This is by design, to slow down attackers.
- Consider also setting up an anti-phishing code in Binance’s security settings. It’s a custom phrase that appears in every legitimate Binance email, so you can tell real emails from fakes.
Setting up 2FA on Coinbase
1. Log into Coinbase and open settings
Sign into your Coinbase account. Click your profile icon and go to Settings, then select the Security tab.
2. Change your 2FA method
Coinbase enables SMS-based 2FA by default for most accounts. You want to upgrade to an authenticator app. Under the “Two-step verification” section, click Select next to “Authenticator” or look for an option to change your verification method.
3. Verify with your current method
Coinbase will send an SMS code to confirm the change. Enter it to proceed. (Yes, you need the old method to switch to the new one.)
4. Scan the QR code
Coinbase shows a QR code. Open your authenticator app, add a new entry, and scan it.
If you need the text key instead, look for a “Can’t scan?” or “Enter manually” option. Save this key somewhere secure as your backup.
5. Enter the verification code
Type the 6-digit code from your authenticator app into Coinbase and confirm.
Done. Your Coinbase account now uses the authenticator app for 2FA.
Coinbase-specific notes
- Coinbase may still send SMS codes for certain high-risk actions even after you switch to an authenticator. That’s their extra layer of verification for things like large withdrawals.
- Coinbase Vault, if you use it, has its own separate approval process with time delays. 2FA on your main account doesn’t replace Vault protections.
- If you lose your authenticator, Coinbase has an account recovery process. It includes a waiting period and identity verification. Save your backup key to avoid this.
General advice for crypto 2FA
Don’t use SMS as your only second factor
SIM swapping attacks — where someone convinces your carrier to port your phone number to their SIM card — are a real threat, and crypto holders are specifically targeted. In 2019, a hacker stole over $24 million from a crypto investor through a SIM swap. Authenticator apps aren’t vulnerable to this because the codes are generated on your device, not sent to your phone number.
Back up your secrets carefully
Losing access to your 2FA without a backup is worse on a crypto exchange than almost anywhere else. You could have funds locked behind an account you can’t get into, with a recovery process that takes weeks.
When you set up 2FA, save the secret key (the text version of the QR code) in at least two places. A password manager and a printed copy stored safely are a reasonable approach.
Use a dedicated authenticator app
Some people prefer to keep crypto 2FA codes in a separate app from their other accounts. The thinking is that if one app gets compromised somehow, your financial accounts are isolated. Whether that’s worth the hassle depends on your threat model, but it’s an option.
Enable every security feature the exchange offers
Both Binance and Coinbase have additional protections beyond basic 2FA:
- Withdrawal address whitelisting (only allow withdrawals to pre-approved addresses)
- Anti-phishing codes (Binance)
- Vault with time-delayed withdrawals (Coinbase)
- Device management (review and remove trusted devices)
- Login notifications
Turn them all on. For accounts holding real money, convenience should take a back seat.
Quick recap
Binance: Security settings > Authenticator App > Save backup key > Scan QR > Verify with code + email/SMS + password.
Coinbase: Settings > Security > Switch from SMS to Authenticator > Scan QR > Verify with code.
Both take a few minutes. Given what’s at stake, there’s no reason to wait.
If you want to see how TOTP codes work before setting anything up, try 2fa.zip. It runs in your browser, doesn’t store anything on a server, and gives you a feel for the codes before you commit.