Securing your Gemini Account with WebAuthn
Protecting your crypto is a cornerstone of our mission to build the future of money. We have operated from day one with a security-first mentality and have focused on providing our customers with layered security features to help them protect their Gemini accounts. Simply put, trust is our product.
Today, we’re excited to raise the bar even higher by introducing support for hardware security keys via WebAuthn (“Web Authentication”). You can now use USB security keys (e.g., Yubikeys, Feitian keys, Trezor and Ledger hardware wallets, etc.), MacOS TouchID, and even Windows Hello as your two-factor authentication (2FA) method when signing in to your Gemini account. Gemini is the world’s first crypto exchange and custodian to support the WebAuthn security protocol.
Using hardware security keys via WebAuthn to secure your Gemini account provides hardware-backed, cryptographic proof that it is you (and not someone else) signing in to your Gemini account — this prevents someone else from signing into your Gemini account even if they have your password. Using hardware security keys via WebAuthn also ensures that you only submit your two-factor credentials to the actual Gemini website and not a malicious website pretending to be the Gemini website.
Advanced Security Protection
Recently, we published a blog post outlining best practices for securing your Gemini account. We encourage you to read it if you have not already done so.
We’ve added many layers of security throughout the years to help you keep your digital assets safe. Since our launch in 2015, we have always required 2FA for all account sign ins; this has never been an opt-in security feature. We use the Authy app for 2FA, which either generates a secure 7-digit code on your mobile device or sends a code via SMS (Note: We encourage you use the Authy app for 2FA rather than SMS). This code is required when signing in to your Gemini account and when performing high-risk actions, like withdrawing your crypto.
But even with 2FA enabled via Authy, an attacker can stand up a website that looks just like Gemini, and ask for your username, password, and 2FA codes. Once divulged, your credentials can be used to access your Gemini account and ultimately withdraw your crypto. To mitigate this risk, we require additional email verification when you sign in from a new device. We also added support for Authy Push last year, which means that customers who have the Authy app installed will automatically receive a push notification that contains transaction details and requires confirmation every time they make a crypto withdrawal attempt. Furthermore, Authy Push will surface inconsistencies in a withdrawal in the event your computer is infected with malware.
Two weeks ago, we released a self-service tool called Withdrawal Address Whitelisting. When enabled, your crypto may only be withdrawn from your Gemini account to specific crypto addresses (submitted and approved by you).
Securing your Gemini Account with WebAuthn
You can register hardware security keys by going to your account security settings page (you must be logged in). If you have more than one hardware security key, you may register multiple keys for added redundancy. When you register multiple hardware security keys, we’ll give you the option to exclusively use your hardware security keys for signing in to your Gemini account, which will disable 2FA codes sent via Authy or SMS. Withdrawals will continue to require Authy Push notification (or an SMS code) to confirm.
Please Note: The Gemini Mobile app does not currently support WebAuthn for 2FA because native support for WebAuthn on mobile is limited and not all iOS and Android devices can physically accept a security key. As a result, if you exclusively use hardware security keys for signing into your Gemini account, you will need to re-enable Authy the next time you sign in to the Gemini Mobile app. We are monitoring the development of WebAuthn and plan to support it in the Gemini app when it becomes possible to do so in the future.
Authy Push, Whitelisting, and today’s announcement of WebAuthn, give you the advanced tools you need to secure your Gemini account. We will continue to strive to be the most secure place for you to buy, sell, and store your crypto today and tomorrow.
Onward and Upward,
Marcin Wielgoszewski, Security Engineering Lead
Greg Stromire, Security Engineer