Motivation to use strong authentication
Exchange trading requires keeping a certain amount of cryptocurrencies in exchange wallets. Thus it attracts a lot of attackers and hackers who want to steal altcoins from exchanges. Attacks to exchanges happen on a daily basis. So, people must pay attention to security to avoid losing money.
Exchanges often require Two-factor authentication to be set up by the users before they are allowed to send BTC or FIAT money to exchange wallets. However, even if it‘s not explicitly required by exchanges, it is a very smart move to make. Some starting or smaller exchanges do not support Two-factor authentications. In this case, it is safer to avoid registration to these exchanges. If it is not possible then it is wise to transfer altcoins on another safe place and to not be permanently stored on the insecure exchanges.
What is Two-factor authentication
Two-factor authentication (2FA) or Multi-factor authentication (MFA) is a user identity verification process involving two or more separated authentication steps. Every authentication step requires distinct authentication factors. Only if all configured authentication steps succeeded in the user's identity verification, the access to the exchange is granted.
The point is that the more authentication factors are required the higher the certainty about the user's identity is achieved. However, it depends on the factors themselves. The best approach is to have the first factor related to a one that the user is familiar with and the second that the user possesses. Typically the user knows his/her credentials like username and password or PIN. Furthermore, the user possesses a certificate, an ID card, a security token or a smartphone.
A smartphone is a very suitable option since nowadays nearly everybody has one. So, either some installed application or just SMS is used as the second factor.
There is even the third and the most secure authentication factor and it is related to the user‘s identity. This type of authentication factor is called an inherence factor and it is related to the biometric data of the user. Typically it is a fingerprint, face or voice authentication.
The second and the third authentication factors are often merged together since they are linked with a possession of a smartphone.
The smartphone is used to verify the user's biometric data and enabling the usage of a smartphone. Then an installed application is used to generate for example an ID, which is then used as the second authentication factor.
In this article, I will consider the second and the third factors as the second factor.
It is considered as an insecure approach to require username and password or PIN which was set up by the user. The reason is that both the password and the PIN can be stored together in some text form on the user's computer or both can be captured by a network sniffer tools and then reuse by the attacker to login to the exchange. The above described scenario has nothing in common with the 2FA. Note that only the first factor was used even if the user had to insert password and PIN to log in to the exchange.
How Two-factor authentication works
If the 2FA is set up then there are more communication channels in place to verify the user's identity. Thus it is much more difficult or nearly impossible for the attackers to steal data from both channels. Let's outline what happens when a user signs in to an exchange. When the user provides the username and password via an internet browser then data goes through the IP network. If the username and the password are accepted by the exchange then the user is prompted to provide ID which is obtainable via the user's smartphone. The ID is delivered to the smartphone via a telecommunication network (SMS) or is generated directly on the device. Once the user is signed in, another attempt to sign in results in a request to provide the second-factor authentication ID again. So, the previous one used for the user's sign-in is no longer valid.
It is assumed that for the attacker it‘s impossible to physically steal the user's smartphone and overcome biometric authentication to obtain the second-factor authentication ID. Contrarywise, it is assumed that the attacker who stole the user's smartphone (and is able to unlock it) still does not have the user's username and password.
A user should never store the username and password in plain text files. The best that a user can do is to remember the username and the password (credentials) to avoid physical storage on hard-drive. The key is to keep credentials and the second-factor ID generating application separated.
Note that the 2FA can not only be used for signing in. It can be also used to set up the use of the 2FA for cryptocurrencie withdrawals. If an exchange offers this option, it is smart to use it.
Two-factor authentication tools
A popular tool used by major exchanges is Google Authenticator. The authenticator generates unique six-digit numbers every 30 seconds. It makes the sign in process faster since the user cannot wait for the SMS.
The authenticator can be easily configured and linked to the user's account. The user just installs the Google Authenticator application, then he goes to the exchange account setting and enables 2FA. The exchange displays a QR code and corresponding ID. The user just opens Google Authenticator and scans the QR code or retypes the ID. From this point, the 2FA is configured and will be required for the next sign in. Note that Google Authenticator is linked to the smartphone of the user and with the user's exchange account.
There are more similar tools like Google Authenticator but they are not often supported by exchanges. Google Authenticator is considered as a standard and everyone involved in crypto must have it to be able to trade on major exchanges.
Additional verification via email
Some exchanges, Bittrex for example, also verifies the device which was used to sign in via an internet browser last time. If the device identifiers differ then the user is prompted to confirm via email that an authentication attempt has been done on a different device and it is the user's authentication attempt.
Some exchanges also offer an option to set up withdrawal confirmation via email.
To protect your cryptocurrency, the 2FA is the absolute must. Configuration does not take much time and once you have installed the Google Authenticator then setting up another 2FA is as simple as scanning a QR code.
Note that when you buy a new smartphone and you want to use Google Authenticator you have to scan the original QR code which you used for setting up 2FA for the first time. Ensure you have safely stored the original QR code. Alternatively, you have to authenticate to the exchange by Google Authenticator on the older smartphone and then set it up on the newer one.
Remember that only using single-factor authentication is an easy target for an attacker and you can lose your money.