Skip to main content
Don't invest unless you're prepared to lose all the money you invest. This is a high-risk investment, and you should not expect to be protected if something goes wrong. Take 2 min to learn more.

What Is 2FA and Why Crypto Accounts Need It

Text codes, authenticator apps and hardware keys, ranked honestly, and why a hijacked crypto account has no undo button.

beginner6 min readDan Clarke
Hero image for what-is-2fa

TL;DR

  • 2FA adds a second proof at login: something you have on top of the password you know.
  • Crypto transfers cannot be recalled, so a hijacked account usually means the money is gone.
  • SMS codes lose to SIM swaps. Authenticator apps and hardware keys never touch the phone network.
  • Switch 2FA on before funding an account, and keep the backup codes on paper.
  • Educational guide only, not financial advice.

Your phone goes quiet on an ordinary afternoon, no bars, no texts, and you put it down to the network having a bad day. Meanwhile a stranger's handset is answering to your number, and every login code your accounts text out to prove you are you lands on their screen. Email first, then the crypto account, then the coins.

That is a SIM swap, and it is how roughly $24 million in crypto left one American investor in 2018. It is also the whole reason security people rank text-message codes last. This guide is a how-to, not financial advice.

The second lock on the door

Two-factor authentication, 2FA for short, is a second proof at login. The password is something you know, the second factor is something you have: a phone, an app, a small key. A thief now needs to steal two different things at once, which is a much harder job than phishing one password out of you.

Nothing about the idea is new: British shoppers have lived with it since 14 February 2006, when chip and PIN became the rule at UK tills. Card in hand, number in head, useless apart.

Passwords leak, constantly: they get reused across sites, guessed by software, phished by convincing emails and dumped in breach files that keep circulating years after the site that lost them has apologised and moved on. 2FA is the layer that holds after the password has already failed, and on most crypto platforms it costs nothing to switch on.

Why crypto punishes a hijacked account

Card fraud comes with an undo button: spot a rogue payment and you can dispute it, often for around 120 days. Banks reverse transactions across their network every day of the week.

Crypto has no such desk, none. A bitcoin transfer, once confirmed, stays sent whoever pressed the button, whether that was you on the sofa or a thief who walked in through a recycled password. No recall, no dispute form, nobody to phone at 9am. An account takeover here usually means the money is gone for good.

So the same stolen password costs a bank customer some paperwork and costs a crypto holder everything. That gap is the whole argument for 2FA in one line.

SMS codes and the attack that beat them

The six-digit code by text is the weak member of the family. The code itself is fine, the problem is the phone number it rides on, which can be stolen without anyone touching your handset.

A SIM swap runs on persuasion: the attacker rings your mobile network, claims to be you, and talks a support agent into porting your number to a SIM in their pocket. Sometimes they skip the acting and bribe an insider. Your phone drops off the network, theirs lights up, and every code sent by SMS, including the one that approves a withdrawal, goes straight to them.

The case that made the technique famous: US investor Michael Terpin sued AT&T in 2018 after a SIM swap was tied to the theft of roughly $24 million in crypto. Networks have tightened their checks since, but the attack keeps working anyway, because somewhere there is always a tired agent on a Friday shift.

SMS still beats a bare password, and on some platforms it is the only option offered. Treat it as a stopgap while you set up something better.

Authenticator apps: codes that never leave the phone

An authenticator app such as Google Authenticator or Authy makes the six-digit code on the device itself. The maths behind it, called TOTP, was standardised as RFC 6238 back in 2011. At setup your phone and the platform share a secret, usually through a QR code, and from then on both derive the same fresh code every 30 seconds.

Nothing travels over the phone network, so an attacker can port your number, read your texts, stand in your street with an aerial, and none of it matters. There is nothing in transit to catch.

Free, two minutes to set up, and for most people holding coins on a platform it is the floor worth standing on.

Hardware keys: the tier phishing cannot reach

A hardware security key is a small device, usually USB or NFC, that approves a login with a physical tap. Passkeys do the same job in software, hiding behind the fingerprint scanner on newer phones, so there is a decent chance you already own this tier without knowing it. Both ride the FIDO2 and WebAuthn standards, mainstream since 2022.

Their party trick is checking the website's identity before signing. A convincing fake login page can fool a tired human into typing a password and a code. It cannot fool the key, which flatly refuses to sign for the wrong domain. Phishing, the oldest move in the book, stops working.

Keys cost real money and you should buy a spare for the drawer. Against a large balance, that is loose change.

Set it up without locking yourself out

The practical bits, in the order you should do them.

  1. Switch 2FA on before the account ever holds money: if the coins arrive through an on-ramp such as Banxa, which has run fiat-to-crypto plumbing since 2014 across 100-plus countries, the account they land in should have its second lock fitted first.

  2. Save the backup codes the moment you enrol, on paper, offline, nowhere near the phone, because locked-out-with-2FA is a whole category of support ticket and the codes are the way back in.

  3. Expect a freeze after changes: many platforms hold withdrawals for around 24 hours after a 2FA or password change, annoying when it is you, protective when it is not.

  4. Whitelist withdrawal addresses where the platform offers it, and then even an intruder inside the account can only send coins to destinations you approved in calmer times.

One boundary: 2FA protects platform accounts, and coins in self-custody answer to a seed phrase instead, so no login code will rescue a phrase typed into a phishing site.

Never approve a prompt you did not start

One rule with no exceptions.

Attackers who already hold your password will fire approval prompts at your phone in the hope that you tap yes at 11pm just to make them stop. That trick, prompt bombing, helped an intruder into Uber's internal systems in September 2022. A surprise prompt is not noise, it means someone has your password right now, so refuse it and go change that password.

The ranking is blunt: a hardware key beats an app, an app beats SMS, and SMS beats a bare password. The middle tier is free and takes two minutes tonight. Thieves pick the doors that are cheapest to open.

Frequently Asked Questions

Yes. It stops the attacker who only has your password, which is most of them. The weakness is SIM swapping, where your number is ported to someone else's SIM, so treat SMS as the starter option and move to an authenticator app when you can. The upgrade takes about two minutes.

An attacker convinces your mobile network to move your number onto their SIM, usually by impersonating you to a support agent. Your phone goes dead and theirs starts receiving your calls and texts, including login codes. The Michael Terpin case in 2018, involving roughly $24 million in crypto, made the attack famous. Some networks will add a port-out password or extra ID checks if you ask.

This is exactly what backup codes are for. Every platform shows a set when you enrol; kept on paper, they get you back into the account from any device. Some apps also offer encrypted cloud backups. Without either, expect a slow identity-check process with support, which is deliberate.

Many platforms hold withdrawals for around 24 hours after a 2FA or password change. If a thief has just taken over the account, that delay stops them draining it before you notice. Irritating when the change was genuinely you, but the freeze has saved plenty of accounts.

Probably not on day one. A free authenticator app covers most people well. Keys earn their keep as balances grow, or if you are visible online in ways that make you a target. If you do buy one, buy two and register both, because a lost only-key is its own headache.

No. A surprise prompt means someone already has your password and is at the door. Refuse it, then change the password straight away. Attackers send repeated prompts hoping you tap approve out of reflex, which is how Uber was breached in September 2022.

By Dan ClarkeLast updated: 14 July 2026