Two Factor Authentication (2FA) is a great way to improve the security of your account.
Mushino supports two different forms of 2FA:
- Phone 2FA (least secure)
- TOTP 2FA (most secure)
The point of 2FA is to provide you with an additional authentication mechanism that must be provided in addition to your password on sensitive actions (log in, withdrawal, api key generation).
Phone 2FA
Phone 2FA uses your SIM Card as an additional authentication mechanism. When you need to perform a sensitive action, a unique code is sent to your phone number. You'll need to type in this code to confirm the action.
TOTP 2FA
TOTP 2FA uses an app on your phone to generate the unique code instead. You'll need to open the app on your phone every time you need to authenticate. Popular apps include (but are not limited to) Google Authenticator and Authy.
TOTP 2FA is significantly more secure than Phone 2FA, since the generation of the code isn't tied to your SIM card.
What's the problem with Phone 2FA?
When the code generation is tied to your SIM Card, there is a chance that a malicious actor may call your phone provider and pretend to be you. The malicious actor will claim that he lost his SIM card and try to convince the customer support agent at the phone company to send him a new SIM card. Some phone providers will accept such a request without asking for valid ID or otherwise verifying that the malicious actor is the person he is pretending to be.
If you're storing significant amounts of cryptocurrency, and other people know of your holdings, you're wise to not rely on this for. The only exception is when you know 100% that your phone provider will not hand out any additional SIM cards without being presented a valid ID.
That being said, phone 2FA is still a significant improvement in security, when compared to not having enabled any 2FA at all.
What happens if I lose my device?
The good thing about phone 2FA is that it's very easy to recover, should you lose your phone. Just ask your phone provider to send you a new SIM Card.
TOTP 2FA is slightly more complicated when it comes to recovery. You'll need to store a backup key that you can use in case you lose your phone. We recommend typing this key out on paper, or storing it in a Password Manager (which should, ideally, also have some form of 2FA enabled, and be backed up).
If you lose your phone, typing in this backup key will allow you to port your account to a new device.
Recommendation
If at all possible, turn on TOTP 2FA. Make sure that you store the backup key in a safe place.
If it's not possible for you to download an app that generates TOTP 2FA codes, use phone 2FA instead. If storing large amounts, make sure that your phone provider is not vulnerable to SIM Swapping (i.e. they will not hand out replacement SIM cards without being presented valid ID).