Two-Factor Authentication (2FA)

How It Works

Two-factor authentication requires two separate proofs of identity before granting access. The first factor is typically your password (something you know). The second factor is something you physically possess — a hardware security key like a YubiKey, or a time-based one-time password (TOTP) generated by an app like Google Authenticator or Aegis. When both factors are verified, access is granted.

SMS-based 2FA sends a code to your phone number, but this method is dangerously flawed. Attackers can execute SIM swap attacks to hijack your phone number, intercept your codes, and drain your accounts. This is not theoretical — it has happened to countless Bitcoin holders. Hardware keys and TOTP apps generate codes locally on your device, making them immune to remote interception.

For Bitcoin-adjacent accounts — exchanges, email tied to exchange accounts, password managers — always use the strongest 2FA available. Hardware security keys (FIDO2/WebAuthn) are the gold standard. If unavailable, use TOTP apps. Store your TOTP backup codes on paper or metal in a secure location, never in cloud storage or on your phone.

Key Points

• Never use SMS-based 2FA for any account connected to Bitcoin — SIM swap attacks make it trivially bypassable
• Hardware security keys (YubiKey, Trezor as FIDO2) provide the strongest second factor
• TOTP apps generate codes locally on your device, immune to remote interception
• Back up your 2FA recovery codes offline — losing your second factor can lock you out permanently
• Enable 2FA on email accounts first, since email is the master key to most account recovery flows