How to Lock Down Your Crypto Exchange Account (Step-by-Step)

Your exchange account is the front door to your crypto. If someone gets in, they can sell your assets, withdraw funds, or lock you out entirely. And unlike a bank, most exchanges won't reverse unauthorized transactions.

The good news: exchange security is mostly about getting the basics right. Not "cybersecurity expert" basics — regular-person basics that take about 20 minutes to set up properly.

Here's the full checklist.

Step 1: Use a unique, strong password

This sounds obvious, and it is. But credential stuffing — where attackers try leaked password/email combinations from other sites — is still the #1 way exchange accounts get compromised.

The rules:

• Use a password you've never used anywhere else
• Make it at least 16 characters (a password manager handles this effortlessly)
• Don't use patterns based on the exchange name (e.g., "Coinbase2026!" is bad)
• Use a password manager like Bitwarden, 1Password, or the one built into your browser

Step 2: Enable the right kind of 2FA

Not all two-factor authentication is equal. Here's the ranking, from most secure to least:

1. Hardware security key (YubiKey, Google Titan) — best option, nearly impossible to phish
2. Authenticator app (Google Authenticator, Authy) — good, but vulnerable if your phone is compromised
3. SMS codes — worst option, vulnerable to SIM swap attacks

Most exchanges default to SMS. Switch to an authenticator app or hardware key immediately.

If you use an authenticator app:

• Back up the setup codes (they're shown once during enrollment)
• Don't keep the authenticator on the same device you use to access the exchange
• If using Authy, disable multi-device after setup to prevent account takeover

Step 3: Enable withdrawal address whitelisting

This is the single most underused security feature on exchanges. When enabled, you can only withdraw crypto to pre-approved addresses. Adding a new address triggers a waiting period (usually 24-72 hours).

If someone gets into your account, they can't withdraw to their own wallet without waiting for the whitelist delay — giving you time to notice and lock the account.

How to enable it:

• Coinbase: Settings → Security → Vault or Allowlist
• Kraken: Security → Withdrawal Address Management
• Binance: Security → Withdrawal Whitelist
• Gemini: Settings → Approved Addresses

Every major exchange offers this. If yours doesn't, consider switching.

Step 4: Set up anti-phishing codes

Many exchanges let you set a custom code that appears in every legitimate email from them. If you receive an email without your code, you know it's fake.

• Binance and OKX both offer this
• Set it to something memorable that isn't related to your password
• Check for it before clicking any link in an email claiming to be from the exchange

Step 5: Review API keys and connected apps

If you've connected a tax tool, portfolio tracker, or trading bot to your exchange, those connections have API keys. Each key has specific permissions (read-only, trading, withdrawal).

Audit checklist:

• Remove API keys you no longer use
• Make sure no key has withdrawal permissions unless absolutely necessary (tax software never needs withdrawal access)
• Set IP address restrictions on active keys
• Don't share API keys in screenshots, support tickets, or chat groups

Step 6: Lock down your email

Your exchange account is only as secure as the email attached to it. If someone gets into your email, they can reset your exchange password and bypass 2FA.

Email security checklist:

• Enable 2FA on your email account (hardware key preferred)
• Use a unique email address for crypto exchanges — ideally not the same one you use for social media, newsletters, and shopping
• Check for active email forwarding rules (attackers sometimes add silent forwarding to intercept password reset emails)
• Disable email recovery via phone number if possible

Step 7: Check active sessions and devices

Most exchanges show a list of active sessions and trusted devices. Review this monthly.

What to look for:

• Sessions from locations you don't recognize
• Devices you don't own
• Sessions that are older than you'd expect

If anything looks wrong, revoke the session and change your password immediately.

Step 8: Understand the limits of exchange security

Even with perfect security hygiene, exchanges carry inherent risks:

• Regulatory freezes — your account can be frozen for compliance reasons without warning
• Exchange insolvency — if the exchange goes under, your assets may be at risk (check for proof of reserves)
• Internal compromise — exchange employees with system access could theoretically abuse it

For large holdings (more than you'd be comfortable losing), consider moving assets to self-custody. Use our Wallet Setup Builder to create a secure setup, or read our guide on what crypto wallets are and how they work.

The 5-minute monthly check

Set a calendar reminder for the first of every month:

1. Review active sessions on your exchange accounts
2. Check API key list
3. Verify your 2FA is still working
4. Glance at recent withdrawal history for anything you didn't initiate
5. Make sure your recovery email and phone number are current

That's it. Twenty minutes of setup and five minutes per month keeps most accounts safe.

Related tools and resources

• Exchange Recommender — find exchanges with strong security features
• Security Checklist — interactive security audit for your full crypto setup
• Risk Scanner — check URLs before logging into exchange websites
• Compare Exchanges — see which exchanges offer proof of reserves and the best security features