Coinbase Pro

2-step verification FAQ

What is 2-factor authentication (2FA)?

Two-factor authentication (2FA), also known as 2-step verification, is a security layer in addition to your username and password. With 2FA enabled on your account, you will have to provide your password (first "factor") and your 2FA code (second "factor") when signing in to your account. 2FA codes are associated with a specific device (such as your phone) or your phone number.

2FA Type


Potential Option(s)

Level of security

Security Key

A physical hardware authentication device designed to authenticate access through one-time-password generation.

Yubico's yubikey

Highly recommended by Coinbase


An algorithm that generates a code based on the current time and a secret key known only to you and the online service, in this case Coinbase

Google Authenticator, Duo

Second highest


Phone app authentication or text based authentication


Least secure

How do Security Keys work?

For more information on using a Security Key please visit:

How does TOTP work?

Coinbase shows you a QR code, which is a representation of the secret key, which you then scan using an Authenticator app on your mobile device. Google Authenticator and several other authenticator apps allow you to generate TOTP codes using your mobile device or computer.

Which type of 2-factor authentication should I use?

Security Keys

This is the most secure 2-factor authentication method as this utilizes physical devices that cannot be compromised electronically, so an attacker would have to gain physical access to your 2-factor authentication key and access to your digital information.

Coinbase supports all WebAuthN / Fido2 standard security keys.

Why is SMS/Text the least secure?

Since SMS and the Authy app are linked to a phone number, they can leave you susceptible to phone number porting attacks. These types of attacks involve an attacker transferring or "porting" a victim's phone number to a device the attacker controls, effectively taking over the number and associated 2-factor authentication codes.