Exchanges add support for hardware 2FA
Phishing scams are becoming more common, with criminals using emails, text messages and phone calls to trick victims into giving them personal information.
According to the National Cyber Security Center in the United Kingdom, 29 million phishing scams have been reported since the beginning of 2024.
Blockchain security platform Fraud Sniffer estimates that more than 324,000 crypto users fell victim to phishing scams in 2023. The “2023 Wallet Drainers Report” indicates that nearly $295 million worth of digital assets will be lost through wallets in 2023.
With phishing scams on the rise, some cryptocurrency exchanges have begun encouraging users to include certain tools to protect their funds.
Crypto exchanges recommend a second layer of security
Jacob Klein, director and head of trust and security at Coinbase, told Cointelegraph that Coinbase was one of the first crypto exchanges to offer YubiKey compatibility.
While UBCO introduced UBKey tools in 2008, some crypto exchanges began allowing customers to use them in 2019 following the first major bull run.
“YubiKey devices are the most secure form of authentication we offer,” said Klein.
According to Klein, UBK tools can serve as the two-factor authentication (2FA) that Coinbase requires.
“This means that a user will need to use a physical Ubikey device to access their account,” he said.
This can be useful, as Klein notes that account passwords can be lost or even compromised in phishing attacks.
“With all the phishing scams going on, the question that users should be thinking about is ‘How can I avoid being hacked?' That's why UBQ may seem like the obvious and best solution to protect crypto funds,” he said.
Latest: Crypto bull run boosts job listings, sparks wage hikes
Cryptocurrency exchange Binance introduced UBKey tools to users in 2019.
Binance's Chief Security Officer Jimmy Su told Cointelegraph, “Being able to physically access Ubikin makes it a very secure 2FA method. The only way an attacker can bypass this is to gain access to the ubikey. This is in contrast to sending a one-time password code via SMS or email, which is more vulnerable to phishing attacks.
Passkeys can also protect against phishing attacks.
While ubikey tools can be one of the best measures to prevent phishing, crypto exchanges have recently adopted new solutions for users.
For example, Klein shared that Coinbase supports a new type of MFA called “passkeys,” which are user authentication that uses “encryption technology linked to a user's device, such as their smartphone.”
According to Klein, any Coinbase user can turn on the passkey option when accessing their account.
Kaja Ahmed, chief information security officer at cryptocurrency exchange Gemini, told Cointelegraph that Gemini recently released support for passkeys, “passwords are somewhat more convenient than physical YubiKeys because they don't involve an external physical device.”
Tom D'Eletto, head of product at Crypto Security Platform, told Cointelegraph that while software passkeys are a step in the right direction, a hardware-bound passkey — via a USB dongle or NFC-enabled card — is the gold standard. For safety level.
D'Eletto explained that “FIDO2” is an open standard used by both Passkeys and UbiKeys. He recently shared that Archulus has implemented its own FIDO2-certified keys in the form of a metal credit card.
“USB hardware keys […] Although they have been on the market for many years, they have not achieved mainstream mass adoption,” said D'Eletto. “Arculus puts the FIDO2 authenticator in the form of a metal credit card, allowing people with the Arculus authenticator to simply touch their card to the back of their phone for authentication.”
DeLeto says this will give consumers a more familiar experience: “Think of it like an ATM experience – when you go to an ATM, you use your PIN and your bank card to access your account. Arculus allows the same flow and secure authentication on your phone.
Protection from phishing scams, but not much else.
Shahar Madar, vice president of security and integrity products at Fireblocks, told Cointelegraph that it's important to understand that UBKey and similar physical devices do not capture the user's wallet or private key.
“It is only used by a wallet or exchange to verify the end user and receive their consent for transactions,” Madar said.
According to Madar, the most compelling use case for these tools is to reduce control over end-user accounts. While this may protect users from phishing attacks, Madar stressed that it cannot protect a ubikey or passkey from cryptocurrency exchange hacking.
Latest: AI Token Prices Soar: Is It All Hype Or Is There Real Potential?
With this in mind, crypto users may consider depositing funds on hardware wallets. Singaporean authorities recently recommended hardware wallets to protect against wallet drain attacks.
However, hardware wallets are also prone to unique challenges. For example, if a hardware wallet user loses their private keys, their cryptocurrency may be irretrievable.
Klin explained that a UbiKey linked to a Coinbase account could be useful in this case. “If a user loses their Ubikey device, they can still get back into their Coinbase account because there is a mechanism for users to regain account access,” he said.
