Coinbase now requires two-factor authentication (also known as 2FA) for certain transactions and changes to an account. The one primarily dealt with in their blog post, is sending more than $100 of Bitcoin in a day. They also list the following scenarios as requiring 2FA before the action can be completed:
- Recurring sends
- Enabling/disabling your API key
- Changing your password
- Changing phones on your account
- Changing your Google Authenticator settings
- Changing your SMS pin number
What does this mean for Coinbase users? Nothing but good things, fortunately. Putting another layer between an attacker/scammer and your BTC is always a great thing to do. It can be a hassle for some users, but ultimately it is like putting your money in a locked deposit box versus a vault. The locked deposit box stores only your items, and is in a locked room itself. The vault is well protected, yes, but if breached, every user of that vault stands to lose a lot. If someone were to break into a vault, they could get away with everything inside, regardless of the owner. In a scenario where 2FA is enforced, A.K.A. the deposit box scenario, the attacker can’t do much to the account, as they would need your phone (a key) too to do anything major with it.
What’s interesting, although unsurprising, to note is that they do specifically mention that “Two factor verification does not apply to Coinbase access via the API key or via OAuth. So you still need to be careful with not leaking your API key and only authenticating trusted applications via OAuth.” This weakness in the system is likely to be abused more now that more the of the options for scammers are being closed with extra security. Coinbase users (myself included), should be wary for any website that asks for your API key, and if it doesn’t seem legitimate at all, leave quickly.