Authentication Matters - Coinbase Account Take Over Statistics

Why would we do such a thing?

We believe in transparency. We believe that customers who are more aware of the risks will be empowered to behave in a safer manner. We want our customers to know all the resources available to them to keep themselves and their Coinbase accounts safe. We want them to understand how effective strong two-factor authentication technology is at protecting consumers on-line. 

We empower our customers

Coinbase offers a range of authentication options to our customers, and we automatically “opt-in” our customers to our most basic form of multi-factor authentication - text based authentication.  This is a simple solution whereby immediately after a customer successfully enters their username and password, they are prompted to enter a security code that is sent via text message. The username/password is the first factor, and the security code texted to their phone is the second factor.  While text based two-factor authentication is significantly better than a simple username / password combination it isn’t perfect. It is vulnerable to SIM-Swap attacks which may allow a sophisticated attacker to gain control of a victim’s mobile phone number and thus receive text messages intended for the victim.

To combat this threat, Coinbase offers stronger forms of two-factor authentication to our customers. We offer time-based one time password (TOTP) solutions, such as Duo or Google Authenticator. This eliminates the dependency on a customer’s mobile carrier in exchange for an app running on the customer’s mobile phone. That app provides a time based code, which acts as the second factor for authentication to a Coinbase account. We also support “push notifications” directly to a customer’s Coinbase app on a registered and authenticated device, prior to allowing any additional devices or computers to log in or transact.  

Strongest of all, we support physical security keys for authentication.  This is the most robust form of authentication we currently offer since it uses a physical security key in the form of a USB token, that is required to access your Coinbase account and can be required to approve transactions.  Since this is a hardware token it requires physical access to the token, in conjunction with the correct username and password to facilitate access. Compromising an account secured with physical security keys requires a significantly more sophisticated attack!  Attacks like this usually combine full remote control of a victim’s phone or computer along with the attacker directly talking to the victim to trick them into providing access.  Or a direct in-person attack on an individual.  While this does happen - it is rare as you will see below.

Authentication strength matters!

We see a sharp decrease in the prevalence of successful account take-overs in our user populations that adopt stronger authentication options.  *Percentage of ATOs associated using the noted authentication mechanism as of November 2022.

It is clear that the stronger forms of authentication offer significant benefits in terms of account security. Customers with higher overall balances and wealth are far more likely to be targeted by attackers - and fortunately they also tend to adopt the strongest forms of authentication.

Just over 5% of our user base has chosen push, time based one time passwords, and physical security keys - but those users represent over 57% of the assets we have under custody. Unfortunately, 95% of our customers still opt to rely only on SMS for the 2FA. 

If you are a Coinbase customer, or a customer of any on-line financial service company, it’s time for you to consider stepping up your security. We encourage you to select the strongest form of authentication available to you!  Check out these tips for upgrading your authentication at Coinbase, and consider selecting at a minimum our Time Based One Time Password (TOTP) solution to protect your account.  Stay safe!