Keep in mind: If someone has your phone it also has your 2FA.

Your sms is there, your **email\*** is there, your google authenticator is there.

So the best thing would be in the first place to take care of your phone. Don’t leave it unsupervised among people you don’t know. Don’t log into exchanges in crowded places (bus / bus station / concerts etc.)

Use biometric authentication – it can be bypassed but 99% of people don’t know how to do it. On the other hand 100% of the people can unlock your phone if they saw you introducing you password.

Don’t use exchanges on your phone. I know you like to check your portfolio every 10 minutes, but don’t.

Don’t invest more then you can afford to lose.

Don’t keep your crypto on exchanges.

\*This is important because if someone has access to your email it also can use the magic “forgot my password” button.

View Source

35 thoughts on “Keep in mind: If someone has your phone it also has your 2FA.”

  1. Glad I have app locker and you need to know the pass to access it.

    Is not muck but is a extra layer of security and never is too much

  2. Just make sure nobody gets the PIN to your phone, and choose a phone with a TPM/TEE that doesn’t have huge vulnerabilities.

    Use Aegis authenticator and encrypt your 2FA so if your phone gets stolen they can’t access it, don’t use SMS 2FA because it is susceptible to SIM swapping, as for email you could put a PIN on your email app, use a strong password on your crypto wallet if possible.

    If someone knows you have a lot of crypto they could crack the TEE and decrypt your phone storage but most thieves just format phones and sell them.

    Edit: also if you’re just HODLing then don’t put your crypto wallet on your phone, keep the seed written down on paper or metal or whatever and only enter it on your device when you need to use it.

  3. Lmao google authenticator.

    If you use 2FA, do your due diligence and note that Google still tracks your activity with the authenticator. Authy is somewhat the same, but on a surface level worse because your backup is a phone number. Yeah, so someone can get your phone number and just port over the 2FA keys.

    Get a Yubikey or at the very least use something that respects your privacy just a bit more.

    I don’t have a Yubikey because there’s not one that fits my needs entirely, so I use Raivo OTP. There’s others you can use, just check out [they got lots of good recommendations for other things for online usage as well](

    It’s fine to secure yourself on crypto, but you’d be a fool if you only take finance based on the internet seriously without taking internet security seriously.

  4. I track my crypto using CoinStats. I do NOT link any wallet to it and set it up manually. This keeps me from looking within exchanges.

  5. Biometrics are nowhere near as secure as Hollywood convinced you it is. A robust password is much safer.

    Biometric data is stored. Anything stored is hackable. Hackers are clever and get cleverer all the time. Biometric data isn’t especially difficult to hack.

    Plus, if you upload any photos of yourself online ever, or go through an airport, or walk down any street with CCTV, you are basically giving your biometric ‘password’ out for free to the entire world.

  6. Do not give your phone number as well.
    They can easily copy your sim and number.
    I made this very mistake by trading p2p and using a payment app that used my phone number.
    I was blasted by scam messages for the following weeks.
    I then added 2fa and auth on binance and email to be safe.

  7. You can also use a separate phone without internet for 2FA, so you get something like a cold smartphone. In any case Pegasus spyware can easily hack any phone and get full access, but if you are a regular person, you shouldn’t bother.

  8. A lot of people underestimate how fuck they will be if they loss or their phone is stolen. I treat my phone like if it was the most valuable thing in my life. Fortunately I have fingerprint added and also 2FA written down and synced in an old mobile just in case.

  9. Depends on how you set it up. In my case they would need to get past two layers of security to access Google Authenticator, and know where to look for it in the first place.

    Seems unlikely.

  10. If you guys are this worried about security, why not get a yubi key? Or just put in on a ledger and get it off the exchange all together

  11. So if you have more than a couple dollars, you should really look into hardware tokens, or at worst an ipod touch that you keep at home.

    For most people this won’t matter, but for anyone with significant money, there’s absolutely no reason you need to make impulse decisions while you’re on the go that you couldn’t make at home where you can take a second to be sure, which means your authentication shouldn’t really be on your phone.

    That said, it’s kind of a big effort to crack a passcode on a mobile device these days, so even if your phone gets stolen if someone wanted to crack it they’d probably just kidnap you and make you unlock it before they’d try to decrypt it or anything like that. Which is why you sorta probably would be better off not having the keys to everything on you at all times.

  12. For people who think fingerprints are secure then watch the Kraken video where they show how trivial it is to lift and recreate your fingerprint with wood glue.

    If you keep crypto on exchanges then it’s time for a yubikey

  13. ” I know you like to check your portfolio every 10 minutes, but don’t.”

    10 minutes is for beginners, we prefer 5 minutes maximum

  14. Many, many people don’t seem to realise the fact that you can add a passcode to the Google Authenticator app itself. I’d highly suggest setting it up now if you haven’t already.

    Oh yeah, and go to export accounts, screenshot the QR codes, and back that shit up somewhere ASAP. Make note of the date you backed it up too so you know how up to date this export is of your keys. This is such a lifesaver if you lose your phone for whatever reason


Leave a Comment