How to Set Up 2FA on Coinbase (and Other Crypto Exchanges) with an Authenticator App

Protect your cryptocurrency with proper 2FA. Step-by-step guide to setting up authenticator app MFA on Coinbase, Kraken, Binance, and Gemini. Never use SMS for crypto.

If there’s one type of account where two-factor authentication is absolutely non-negotiable, it’s a cryptocurrency exchange. Unlike a bank, there’s no fraud department to call, no FDIC insurance, and no chargebacks. If someone drains your crypto wallet, it’s gone. Forever.

This guide covers setting up TOTP-based 2FA on Coinbase, with additional sections for Kraken, Binance, and Gemini. The process is similar across exchanges, but the details differ.

Never Use SMS for Crypto

This is worth saying loudly: do not use SMS-based 2FA on any cryptocurrency exchange. SIM-swapping — where an attacker convinces your carrier to transfer your phone number to their SIM — is the primary attack vector for crypto theft. Attackers specifically target crypto holders because:

  • The payoff is immediate and irreversible
  • Phone carrier employees can be bribed for as little as $100
  • Once they have your SMS codes, they drain your account in minutes

An authenticator app generates codes locally on your device. There’s nothing to intercept, no carrier to social-engineer, no SIM to swap.

What You’ll Need

  • An account on your exchange of choice
  • A phone with an authenticator app (FactorCat, Google Authenticator, or any TOTP-compatible app)

Coinbase

1. Open Security Settings

Sign in to coinbase.com. Click your profile icon → SettingsSecurity.

2. Change Your 2FA Method

Under 2-step verification, you’ll see your current method (likely SMS if you haven’t changed it). Click “Select a different verification method” or “Manage” next to 2-step verification.

Select “Authenticator app (TOTP).“

3. Scan the QR Code

Coinbase displays a QR code and a secret key.

  • In FactorCat: Tap +Scan QR Code. Coinbase is identified and labeled automatically.
  • In other apps: Scan or enter the key manually.

4. Enter the Verification Code

Type the current 6-digit code from your authenticator app. Coinbase may also send a verification email or SMS to confirm the change.

5. Disable SMS Fallback

After setting up your authenticator app, go back to security settings and disable SMS as a backup method if possible. Having SMS as a fallback defeats the purpose — an attacker can still SIM-swap and use the SMS fallback to bypass your authenticator.

6. Save Recovery Information

Note your Coinbase recovery options. Coinbase provides a recovery process via identity verification if you lose your 2FA device, but it takes days to weeks. Having your authenticator app’s backup/recovery codes is much faster.

Kraken

  1. Sign in to kraken.comSecurityTwo-factor authentication
  2. For Sign-in 2FA, select “Authenticator app”
  3. Scan the QR code with your authenticator app
  4. Enter the verification code
  5. Also enable 2FA for trading and funding. Kraken lets you set separate 2FA for sign-in, trading, and funding (withdrawals). Enable all three — an attacker who compromises your session can’t withdraw funds without the additional 2FA check.

Kraken also offers a Master Key — a separate credential for account recovery. Set this up and store it securely.

Binance

  1. Sign in to binance.comAccountSecurity
  2. Click “Enable” next to Authenticator App (Binance may call it “Binance/Google Authenticator”)
  3. Scan the QR code and enter two consecutive codes (similar to AWS — Binance requires two codes from different 30-second windows)
  4. Save your backup key

Important: Binance also requires an authenticator code for withdrawals by default. Do not disable this.

Gemini

  1. Sign in to gemini.comSettingsSecurityTwo-Factor Authentication
  2. Select “Authenticator app”
  3. Scan the QR code
  4. Enter the verification code
  5. Gemini also supports hardware security keys (Yubikey) — consider this as an additional layer if you hold significant assets

Best Practices for Crypto Security

  • Use a dedicated email for exchange accounts. Don’t use your primary email. Create a separate email address used only for crypto exchanges, and enable 2FA on that email too.
  • Enable withdrawal address whitelisting. Most exchanges offer this — you can only withdraw to pre-approved wallet addresses. A new address requires a 24–72 hour waiting period, giving you time to react to unauthorized access.
  • Use different passwords for each exchange. A breach at one exchange shouldn’t compromise your accounts at others.
  • Be suspicious of everything. Phishing attacks targeting crypto users are sophisticated. Always navigate to exchanges directly — never click links in emails or messages. Check the URL carefully.
  • Consider cold storage. If you hold significant crypto long-term, move it to a hardware wallet (Ledger, Trezor). Exchanges are for trading, not storage.

Tips for Managing Multiple Exchange Tokens

If you trade on multiple exchanges, you’ll have several 2FA tokens to manage. Label them clearly in your authenticator app — “Coinbase,” “Kraken,” “Binance,” etc.

In FactorCat, domain matching handles this automatically: when you visit coinbase.com, the extension knows which token to use and presents the right code. No scrolling through a list of 20+ tokens.

Next Steps

Crypto accounts secured. Protect the rest of your digital life:

Managing TOTP tokens across Coinbase, Kraken, Binance, and a dozen other services? FactorCat matches tokens to the right site automatically and auto-fills codes in your browser. When Coinbase asks for a code, your phone buzzes, you tap approve, and you’re in. No fumbling with the wrong token.

Try FactorCat — launching soon

An authenticator that auto-fills MFA codes in your browser. Get notified when it's ready.

Protect your other accounts

Discord

How to Set Up 2FA on Discord with an Authenticator App

GitHub

How to Set Up 2FA on GitHub with an Authenticator App

Google & Gmail

How to Set Up 2FA on Google & Gmail with an Authenticator App