A Guide to Coinbase Account Security
Best Practices for Protecting Your Crypto
Because cryptocurrency transactions are irreversible, security is an important component of a trustworthy platform. Of course, no single security mechanism is perfect, but following the best practices we share in this post can help reduce the likelihood that you’ll experience an account compromise — not just on Coinbase, but on your other digital accounts as well.
Protecting Your Passwords
If you’ve been using the same password on all your online accounts for years, right now is a great time to switch it up! Virtually all the top common passwords are known to hackers, which makes it easy for them to guess and get into your accounts.
Picking a strong password for your Coinbase account is important, but it’s equally important to have a strong password for the associated email address too. If an attacker gains control of your email address, they can send themselves a password reset request for your Coinbase account.
Rather than try to remember all these passwords yourself, we recommend using a password manager (e.g., 1Password, LastPass) to securely generate and store passwords for you.
When you sign up for a Coinbase account, we’ll give you feedback on how strong your password is based on our Password Requirements:
If you’re unsure about the strength of your current password, log in to your Coinbase account then visit our Password FAQ page. At the bottom of the page, you’ll see the score for your current password:
Adding a Second Factor
Now that you’ve got strong passwords everywhere, the next step is adding 2-Step Verification (also referred to as 2-Factor Authentication, or 2FA) to all your accounts. 2FA adds an additional layer of security to your account by ensuring that knowledge of your password isn’t enough to let an attacker in.
By default, all new Coinbase accounts come with SMS-based 2FA enabled. Each time you log in, we send you an SMS with a unique, short-lived verification code. While this is more secure than no 2FA at all, SIM swapping and phone porting attacks (where a fraudster fools your mobile carrier into giving them control of your phone number) are becoming increasingly common. If an attacker can receive SMS messages sent to your phone number, they can receive your SMS 2FA codes as well.
Apple iPhone and iCloud users should also consider disabling Text Message Forwarding (and protecting your iCloud account with 2FA as well!)
Rather than SMS-based 2FA, we recommend using something stronger, like an authenticator app. When you pair an authenticator app with your Coinbase account, it generates the 2FA codes locally on your mobile device, which means they can’t be redirected like an SMS. Be careful though — anyone who can access your authenticator backup (the technical term is a “TOTP seed”) can also generate 2FA codes with it, so don’t save pictures of your QR code or back up your authenticator app to an unencrypted cloud service.
You can enable Google Authenticator (or any compatible authenticator app) in your Security Settings.
Two-factor authentication isn’t just for login. In your security settings, we recommend requiring a 2FA code for all outbound transactions.
To learn more about your 2-factor options, please read our 2-Factor Authentication FAQs.
Checking for Suspicious Account Activity
On the same Security Settings page, you can manage third-party applications that you’ve granted access to your account, as well as review active sessions and recent activity. It’s a good idea to review your Coinbase account activity regularly to ensure that you don’t see anything unusual or suspicious.
Using Vaults and Whitelisting
If you HODL, you should consider using a Vault. Vaults require multi-email approval to start a withdrawal, and the withdrawal itself has a 48-hour time delay, during which you can cancel the withdrawal at any time if you change your mind or if the withdrawal was initiated by an unauthorized party. You can create a vault for any supported cryptocurrency by clicking + Create Vault at the bottom of your Accounts Page. Once your vault is set up, you’ll receive a notification reminding you of the required verifications and withdrawal delay.
For our Pro users, Address Whitelisting allows you to create a predefined set of cryptocurrency addresses that are allowed to accept outbound transactions from your Coinbase Pro account. Because your Pro account will only send funds to whitelisted destinations that you trust, any attempts by an attacker to send those funds elsewhere will be blocked.
We encourage all Coinbase Pro users to take advantage of this extra security feature.
In the security world, we talk a lot about the concept of “defense in depth” — the notion that no single line of defense will ever permanently keep out an attacker, so it’s important to have multiple layers of protection. By implementing the best practices described here, you can add some layers of defense to your online accounts, as well as adding additional protection for your Coinbase funds.
If you have a security concern or suspect your account is at risk, please notify us through the Coinbase Support page.
All links to third-party websites are for convenience and informational purposes only (“Third-Party Sites”). Coinbase is not responsible for the content of any Third-Party Site, and the inclusion of any link does not imply endorsement, approval or recommendation by Coinbase.
Unless otherwise noted, all images provided herein are by Coinbase.
