Coinbase offers 2-step verification, known also as 2-factor (2FA) or multifactor authentication, as an added security layer in addition to your username and password.
With 2-step verification enabled on your account, you'll need to provide a unique verification code sent to your phone in addition to your username and password.
Some events that can trigger 2-step verification
Sign-in attempt from an unrecognized device
Sign-in attempt from a unrecognized phone number
Sending crypto out of your Coinbase account
Note: Coinbase no longer supports Authy.
Learn how to troubleshoot 2-step verification issues.
Security Key - Most secure
This is the most secure 2-step verification method as this requires posession of a physical device; an attacker would have to gain physical access to your 2-step verification key and access to your digital information.
Coinbase supports all WebAuthN / Fido2 standard security keys. An option for a security key is Yubico's yubikey. Learn how to use a security key by visiting our help article Using and Managing Security Keys.
Duo and Google Authenticator (TOTP) - Secure
These are apps that generate a one-time code based on both of these factors: 1) the current date and time on your phone and 2) a secret key known only to you and Coinbase.
Coinbase shows you a QR code, which represents the secret key, which you'll then need to scan using an Authenticator app on your phone.
Coinbase Security Prompt - Secure
Coinbase Security Prompt delivers push notifications from your active mobile app session to either approve or deny a login attempt that’s made from a different device (such as web, mobile web, or the mobile app on a different device). This supplementary feature is enabled by default if you’ve chosen text messages (SMS) as your 2-step verification method.
SMS/Text - Least secure
SMS/Text is a phone app authentication or text-based authentication. Since SMS is linked to a phone number, it can leave you susceptible to phone number porting attacks. These types of attacks involve an attacker transferring or "porting" a victim's phone number to a device the attacker controls, effectively taking over the number and associated 2-step verification codes.