2FA for Crypto, Done Right: The Five-Minute Upgrade That Matters

The logic of 2FA: a password is something you know, and knowledge leaks — through phishing, breaches, and reuse. A second factor adds something you have, so a stolen password alone opens nothing. Every exchange offers it, and enabling it is non-negotiable. The trap is that the most common type is also the weakest, and crypto accounts are precisely where attackers bother to exploit that.

SMS codes fail to a SIM-swap: an attacker convinces or bribes a mobile carrier to move your number to their SIM — using leaked personal data to pass 'verification' — and your security codes now arrive on their phone. This isn't theoretical; it's the standard playbook behind countless exchange-account drainings, and known crypto holders are targeted specifically. The fix costs nothing: an authenticator app (TOTP) generates codes on your device from a local secret that never touches the phone network. Carrier-proof by design.

The full ladder, in strength order: SMS (better than nothing, retire it), authenticator app (the practical standard — back up its seed when shown, or losing the phone means a support-ticket ordeal), and a hardware security key (FIDO2/passkey), which adds phishing immunity since the key cryptographically refuses to authenticate to fake domains. The five-minute action: open your exchange's security page, enable app-based or key-based 2FA, remove your phone number as an authentication and recovery method, and apply the same to the email account that anchors everything else.