Best Practices for Securing Your Gemini Account
Security has been a pillar of Gemini since our inception. Our security-first mentality is baked into all of our products, serving as a true differentiator in the cryptocurrency industry. Our industry-leading SOC 2 Type 1 security compliance demonstrates our commitment to security and building trust in cryptocurrency as an asset class — trust is our product.
Empowering Gemini customers is also important. We recently released a self-service tool — Withdrawal Address Whitelisting — to provide our customers with an additional layer of protection on their Gemini accounts. Whitelisting allows our customers to (i) ban all withdrawal activity, or (ii) restrict withdrawals from their Gemini account to specific, approved addresses.
As we continue to upgrade this whitelisting feature and other account-level security options, below are additional security recommendations — including details on whitelisting, passwords, and best practices for managing your Gemini account and digital assets more broadly.
PASSWORDS & ACCOUNT ACCESS
The strongest passwords are impossible to guess. You should always use strong passwords to secure your desktop and laptop devices as well as your Gemini account. Instead of writing down strong passwords — which you should never do — we recommend using a password manager.
Utilize a password manager’s built-in features to create unique, complex, and bespoke passwords for each site you require credentials for. It is far easier for the human mind to remember one complex password (i.e., for the password manager itself) which will then allow you to copy-and-paste any stored passwords from the manager to any websites you use, including Gemini.
Always remember that Gemini will never contact you asking for your passwords, PIN numbers, or password-manager information. If you ever receive an email requesting such information, please forward it to us at email@example.com.
If you use the Gemini mobile app, we recommend securing it with biometric authentication via TouchID or FaceID for every login. A PIN you can easily remember, and never write down, is recommended for backup.
TWO-FACTOR AUTHENTICATION (2FA)
During account setup, we require users to go through the two-factor authentication process. This verifies your possession of two of the three recognized factors for authentication: (1) Something you have (like a mobile device or hardware token), (2) something you know (like a password or PIN), and (3) something you are (which is identified by your fingerprint, face, or government-issued ID).
Gemini’s method for 2FA authentication is Authy, a commercial application which you can download to your mobile device or desktop computer here. SMS verification is available; however Authy is more secure. For the highest level of security, we also recommend disabling the multi-device option in your Authy app settings. This will protect you from other devices being added with the ability to authenticate your logins.
In the event you have a new phone or phone number, you may temporarily lose access to Authy 2FA. You can resolve any 2FA lockout using the instructions here.
As you continue your Gemini account setup, you’ll link bank accounts to use as U.S. dollar funding sources for trading. The accounts you connect should be secured by strong passwords, ideally stored in a password manager.
Always practice situational awareness with your Gemini account: Never give out personal identifying information through untrusted sources, never allow remote access into your computer, and remember that Gemini’s primary support channel is email — not phone. (Our support team only calls customers in special cases, after coordinating a time and date via email.) When accessing the Gemini website, only use the URLs https://gemini.com or https://exchange.gemini.com/signin.
Once you deposit funds and start trading, review the Transaction History in your account settings regularly. If you ever suspect suspicious activity, please report it to us immediately at firstname.lastname@example.org or email@example.com.
WITHDRAWAL BANS & WHITELISTING
In order to withdraw from your account, you will need to complete our full onboarding process (including uploading a government ID). Once that’s complete, U.S. dollar funds can be withdrawn to any connected bank account and cryptocurrencies can be sent to any withdrawal address associated with the currency type (BTC, ETH, LTC, BCH, ZEC, or GUSD).
For added security, you can use withdrawal address whitelisting to (i) ban cryptocurrency withdrawals, or (ii) restrict them to specific, approved addresses only. This ensures that in the unlikely event of an account takeover, your cryptocurrencies on Gemini cannot be sent to an unknown address.
Once you enable whitelisting in your account settings, you will not be able to withdraw until there are active addresses on your whitelist. You can leave your whitelist empty to maintain a ban on all withdrawals.
You can add addresses, delete addresses, or edit address labels any time through your account settings on the Gemini website (whitelist information is read-only on the Gemini mobile app). For individual accounts, every address is subject to a seven-day holding period before it is activated for withdrawals. Whitelisting offline (or “cold”) addresses only is recommended.
On accounts with multiple users, address requests can only be made by account administrators or managers. Requests are subject to a dual-control process, whereby a fellow administrator or manager must approve each request (eliminating the need for a seven-day holding period).
As an added security protection, you must contact Gemini Customer Support directly to disable whitelisting.
All self-service measures regarding passwords, 2FA, account management, and whitelisting build on other protections inherent to Gemini’s security processes.
Temporary withdrawal holds are one example: Changing the email address on your account or resetting a forgotten password results in a 24-hour hold on cryptocurrency withdrawals. In addition, we allow users to freeze their accounts in the event of an unauthorized login or other suspicious activity. Once reported, incidents are investigated by our expert support and security teams.
Additionally, Gemini has instituted a means to identify when new devices are connecting to an account for the first time. This activity instantly prevents withdrawals until subsequently verified by the account owner.
Account freezing and withdrawal bans (via whitelisting) offer the highest level of security because they restrict customers’ cryptocurrency holdings to Gemini, which we view as ultimately the safest option for customers. Our security approach is further bolstered by platform and marketplace protections that include U.S. dollar capital reserves, digital asset insurance, market surveillance technology, and a SOC 2 Type 1 security review by Deloitte.
Security, Product, Licensing, and Compliance are the four pillars of Gemini, and our efforts are setting the standard for cybersecurity in the crypto industry. As we deliver further security features and enhancements over the course of 2019, we will continue to share best practices for investing safely and securely in the future of money.
Onward and Upward,
Jim Rouse, CISO