What is 2FA (two-factor authentication)?

How it works

When 2FA is enabled, logging in requires both:

1. Something you know — your password
2. Something you have — a code or device proving ownership

Common 2FA factors, ranked by security:

• Hardware security keys (YubiKey, Ledger Stax) — strongest. Physical device that signs a challenge. Phishing-resistant because the key cryptographically verifies the domain it's authenticating against.
• TOTP authenticator apps (Google Authenticator, Authy, 1Password) — strong. App generates 6-digit codes that rotate every 30 seconds based on a shared secret with the service.
• Push notifications (Duo, Microsoft Authenticator push) — strong. App pings your phone for tap-to-approve.
• SMS codes — weak. Texted codes can be intercepted by SIM-swapping the phone number to an attacker's SIM.
• Email codes — weakest as a second factor; often the same email used for password reset.

For crypto and high-value accounts, the order should be: security key first, TOTP/push second, SMS only as last resort.

Example

A typical SIM-swap attack:

1. Attacker calls your mobile carrier (T-Mobile, Verizon, AT&T), poses as you, claims a lost phone
2. Carrier's customer-service rep transfers your number to an attacker-controlled SIM
3. Attacker triggers password reset on your accounts; reset codes go to their phone via SMS
4. They log in, change password, drain account
5. You discover when your phone has no signal and your accounts are empty

This pattern hit dozens of high-profile crypto holders in 2018-2020, with reported individual losses in the millions. Carriers have improved verification (port-out PINs, etc.) but it still happens regularly.

The defense is to never use SMS 2FA for important accounts. Coinbase, Kraken, and most major exchanges allow disabling SMS in favor of TOTP or hardware keys.

Why it matters

Practical 2FA configuration for a typical crypto user:

• Email account — security key + TOTP backup. Email is the master key; if it's compromised, password resets cascade.
• Exchange accounts (Coinbase, Kraken) — security key + TOTP backup. Disable SMS 2FA.
• Mobile carrier — set a port-out PIN, lock the line, request high-friction in-store changes only.
• Self-custody wallet apps — usually no 2FA; the wallet is secured by the device's biometric/passcode and the seed-phrase backup.
• Bank accounts — at minimum TOTP if available; many banks still default to SMS.

Common 2FA mistakes:

• No backup factor configured. Lose your primary phone, lose access. Always set 2+ factors per important account.
• TOTP secrets stored only on one device. Use 1Password / Authy / iCloud Keychain to sync TOTP across multiple devices, OR write down the original setup secrets as a backup.
• Trusting email-based 2FA. If your email provider requires only SMS to reset, an attacker only needs your phone number.
• Reusing the same security key for everything without a backup. Have a primary YubiKey at home, a backup YubiKey in a safe place. Lose the primary, you have a fallback.

The investment in real 2FA is small (a YubiKey 5 is ~$50; the better Authenticator apps are free). The downside of weak 2FA — total account loss with no recovery — is large enough that "I'll get to it eventually" is the wrong answer for any account holding meaningful funds.