Phishing scams are on the rise as criminals employ various methods to deceive individuals into divulging personal information. The National Cyber Security Centre in the UK reported that 29 million phishing scams have been reported since the start of 2024. In 2023 alone, over 324,000 crypto users fell victim to phishing scams, resulting in the loss of approximately $295 million in digital assets, according to the “2023 Wallet Drainers Report.”
To combat the increasing number of phishing scams, certain cryptocurrency exchanges are urging users to incorporate specific devices to protect their funds. Coinbase, for example, was one of the first exchanges to offer YubiKey compatibility. YubiKey devices, introduced by Yubico in 2008, provide the most secure form of authentication, serving as a two-factor authentication (2FA) method. Users must physically use their YubiKey device to access their accounts, making it more secure than relying solely on passwords, which can be lost or compromised in phishing attacks.
Similarly, Binance introduced YubiKey devices to its users in 2019. Jimmy Su, the chief security officer at Binance, emphasized that the physical nature of the YubiKey makes it the most secure 2FA method. Unlike SMS or email-based one-time-password codes, YubiKey requires physical access, making it less susceptible to phishing attacks.
While YubiKey devices are effective against phishing attacks, crypto exchanges have also started adopting newer solutions. For instance, Coinbase supports a new form of multi-factor authentication (MFA) called “passkeys,” which utilize cryptographic techniques linked to a user’s smartphone. Gemini, another cryptocurrency exchange, also recently released support for passkeys, which offer more convenience than physical YubiKeys.
Tom D’Eletto, head of product at Arculus, a crypto security platform, believes that while software passkeys are a step in the right direction, a hardware-bound passkey is the gold standard for security. Arculus has implemented its own FIDO2-certified keys, which come in the form of a metal credit card. D’Eletto explains that this provides users with a familiar experience, similar to using a bank card and PIN at an ATM.
It is important to note that YubiKeys and similar physical devices do not hold a user’s wallet or private key. Instead, they are used by wallets or exchanges to authenticate users and authorize transactions, mitigating the risk of account takeovers. However, they cannot protect against cryptocurrency exchange hacks.
Considering this limitation, crypto users may want to consider using hardware wallets to store their funds. Singapore authorities have also recommended hardware wallets for protection against wallet drainer attacks. However, hardware wallets come with their own challenges, as losing the private keys can result in the permanent loss of crypto funds. In such cases, having a YubiKey associated with a Coinbase account can be beneficial, as users can go through a process to regain account access even if they lose their YubiKey device.