Earning user trust with our secure login service

At Coinbase, we’re working hard to help update the financial system by building trusted products that expand the utility and adoption of crypto. We’re doing this because we believe crypto and blockchain technology have the ability to increase economic freedom and opportunity around the world. Coinbase chose to become a public company in the US because we believe the US would best be served by embracing this fundamental innovation, but we’re also focused on international markets, many of which are moving forward with strategies to become “crypto hubs.” We’re enthusiastic about furthering our mission and recognize that to achieve this we must earn and uphold trust with our users by implementing robust security controls, safeguarding their accounts, and increasing confidence. That’s why we’ve built our login service from the ground up with those principles in mind. 

 Protecting users with enhanced login security

Attacks that result in unauthorized access to user accounts — known generally as account takeovers (ATOs) – are a large problem facing the digital world today, and we want to help our users protect themselves. Username and password is just the beginning for account security. Here are a few tactics we deploy to protect our users when logging in: 

• OAuth: We leverage the trusted industry standard OAuth protocol to enable each of our applications to be treated as a unique product, which provides multiple layers of security and prevents direct communication between applications should there be a security issue. 

• Device Verification: Coinbase utilizes device fingerprinting technology to confirm that every login from a new device or unknown device requires additional verification to proceed. This helps ensure the correct (or intended) person is accessing the account in question. 

• Credential Protection: While our password entropy requirements do a lot to help prevent account takeovers and other attacks, we go the extra mile by also checking passwords against dark web breach lists. Should our users' Coinbase username and password combination end up in a data dump from another website’s data breach, we may lock our users’ account until the password is changed. This makes it harder for attackers to use leaked credentials from other websites on Coinbase.

• Session Rotation: Coinbase takes precautions to safeguard our users’ session from remote hijacking by periodically rotating user session information. This makes it harder for attackers to persistently impersonate a user if an attacker were to get their session from malware on their device. 

• 2FA: We also require two-factor authentication (2FA) on all accounts, and offer a variety of different types of 2FA including hardware keys, Security Prompt, SMS, app-based OTP, and, for certain cases, email 2FA. Unlike some other applications, 2FA is mandatory on Coinbase.com and in the Coinbase mobile app. We inform users about which options are the highest security 2FA methods, since 2FA types have different security implications. This keeps users safe with another layer of authentication. 

• SIM Swap Protection: SMS messages are one of the most commonly used types of 2FA, but they can pose a significant risk due to the high frequency of attacks on wireless carriers. Attackers can steal a victim's phone number from their phone carrier and execute a sim-swap scam, thereby gaining access to the victim's SMS 2FA code. Coinbase implements measures that are capable of detecting some SIM swaps, which helps Coinbase identify such events and introduce additional verification steps for affected accounts.

• ML Model: To prevent ATOs, we utilize an advanced model that deploys machine learning to block attackers throughout Coinbase products. To learn more about our machine learning model see here.

• Bug bounty, penetration testing, threat modeling, and security audits: To be sure that our login flow is as strong as possible, we run routine internal and external penetration tests, conduct regular security audits, run threat modeling, and maintain a vigorous bug bounty program. These layers of review and scrutiny allow us to continuously evaluate and enhance our security posture over time, especially as crypto and threats evolve. 

Protecting against unexpected attack types

Outside of account takeovers, we see other malicious activity attacking our login service, especially at the infrastructure level. Coinbase protects customers and safeguards its infrastructure with several layers of bot detection and malicious actor detection which stops attackers from cracking user credentials, blocks bad actors before accessing the site, and keeps Coinbase online and servicing users.

• Broad-Based Rate Limiting: We employ broad-based rate limiting to limit network traffic and prevent attackers from overwhelming Coinbase’s infrastructure. We also utilize Cloudflare to prevent distributed denial of service (DDoS) attacks and prevent signature based attacks with a web application firewall. Both of these are designed to help provide a reliable experience for Coinbase users by mitigating service outages.

• Specific-based rate limiting: Specific rate limiting occurs on pages like username and password to block credential cracking and account takeovers by restricting the number of attempts that can be made. A point-based system is used, which gives us the ability to adjust friction if we think the “user” is an attacker, not the account owner. Attackers commonly use many IP addresses, which is why Coinbase further protects customers from credential cracking with specific action based rate limiting.

Securing the future of crypto

Coinbase is committed to building trusted products that expand the utility and adoption of crypto, which is why security is at the foundation of every product decision. However, the world of crypto is constantly evolving, which is why we remain vigilant and continue to evolve to mitigate new threats. Our login security offers a strong first-line of defense, allowing users to explore the open financial system from the safety of their Coinbase account.