Why 2FA isn't enough with Crypto Exchanges

A lot of trust needs to be put in to cryptocurrency exchanges. Firstly because you're entrusting them with your Fiat currency, and secondly because you're entrusting them with the keys to your cryptocurrency.

Each cryptocurrency address, regardless if it's Bitcoin, Litecoin, or Ethereum, is a public representation of a pair of cryptographic keys. That pair consists of two parts - a public key, and a private key. What's important here is that the private key is what allows you to make transactions, giving you the ability to transfer coins to other parties.

Now if you've ever used an exchange before, you'll notice that you don't normally see these keys. The exchange is managing it all for you in the background. They might have the keys for a Bitcoin or Ethereum address specifically created for your account in the background, which they're using to then make the trades that you ask them to via their website or app.

This is great, but those private keys? You're not going to see them. In fact if you transfer coins out of exchanges and watch the transaction with a service like BlockCypher - you'll often see the amount you transferred came from some address that was holding a lot more on it as a pool for multiple users, and your particular amount was divvied out to wherever you asked it to go with the remainer staying on the original address or moved somewhere else.

This kind of environment wasn't quite the intent for cryptocurrency - the intent was to decentralise - i.e. as a user, you control your own keys - not some larger authority like a bank. Most of the popular exchanges are well run and have proven themselves so far regarding trust and security, but ultimately they still hold your keys. They can assure you of their security controls and processes over and over, even enabling 2-Factor Authentication to really lock down access with YubiKeys, OTP tokens, and SMS codes. They can assure you that they provide cold storage services to really lock down access. But even 5 or 500 layers of security, never forget - they still hold your keys.

So what should you do?

The first step is to take ownership back. Most exchanges provide a capability to send your holdings to another address. They usually bury that feature behind a bunch of menus, but you should hopefully find the capability. All you need to do is create addresses in a product under your control, like Signata, and then you can use those addresses as the destination for sending your holdings from the exchange.

The second step is to enable 2FA on the exchange. Yes, we've just outlined why 2FA isn't enough to protect your holdings - but that doesn't mean you shouldn't be using it anyway. At some point you're going to want to move your holding from Signata back into the exchange to trade them for fiat (or other currencies). If your exchange supports YubiKeys for 2FA, then great! - you can use your same YubiKey for both logging in to the exchange, and protecting your private keys in Signata.

The most secure way to keep cryptocurrency is to stay decentralised. Be the owner of your crypto assets, and keep the power to send them wherever and whenever you want. Don't let exchanges hold on to your assets - hold them in a wallet that you control. Try Signata today for free - you can add as many addresses and YubiKeys and you like, and we never see your private keys.

Timothy Quinn

Timothy Quinn

Managing Director of Congruent Labs