Xác thực hai yếu tố (2FA)

A password alone is a single point of failure — leaks and phishing make passwords unreliable on their own. Two-factor authentication requires a second proof of identity at login, so even a stolen password isn't enough to get in. Turning it on is the highest-impact security step for any exchange account.

Not all 2FA is equal. SMS codes are better than nothing but vulnerable to SIM-swap attacks, where an attacker ports your phone number to their device. An authenticator app (TOTP) is much stronger, and a hardware security key is stronger still, resisting phishing because it verifies the real site before responding.

Beyond 2FA, exchanges offer extra hardening worth enabling: a withdrawal address whitelist (so funds can only leave to pre-approved addresses), an anti-phishing code (so you can spot fake emails), and login and withdrawal alerts. Each closes a door that attackers commonly use.

Protect the 2FA itself. Save your authenticator backup codes offline when you set it up, so you aren't locked out if you lose your phone, and never enter a 2FA code on a site you reached from a link. Combined with a unique password and self-custody for large holdings, strong 2FA makes account takeover very hard.