Phishing scams are on the rise, with criminals using various methods like emails, text messages, and phone calls to deceive individuals into revealing personal information. The National Cyber Security Centre in the UK reported 29 million phishing scams in 2024. Scam Sniffer, a blockchain security platform, found that over 324,000 crypto users fell victim to phishing scams in 2023, resulting in a loss of around $295 million in digital assets.
To combat the increasing threat of phishing scams, some cryptocurrency exchanges are urging users to incorporate specific devices for added protection. For example, Coinbase, one of the leading crypto exchanges, was among the first to offer YubiKey compatibility. YubiKey devices, introduced by Yubico in 2008, provide the highest level of security for authentication. They can serve as a form of two-factor authentication (2FA), which is essential in preventing unauthorized access to user accounts. By requiring users to physically use their YubiKey device to access their accounts, the risk of lost or breached passwords in phishing attacks is minimized.
Binance, another prominent crypto exchange, also introduced YubiKey devices to its users in 2019. According to Jimmy Su, Binance’s chief security officer, the physical access requirement of YubiKeys makes them the most secure 2FA method. Unlike one-time-password codes sent via SMS or email, which are vulnerable to phishing attacks, YubiKeys provide a more robust defense against such threats.
While YubiKey devices are highly effective in protecting against phishing, crypto exchanges have begun adopting newer solutions. Coinbase, for instance, supports a new form of multi-factor authentication (MFA) called “passkeys.” These passkeys utilize cryptographic techniques linked to a user’s device, such as a smartphone, for user authentication. Gemini, another crypto exchange, has also recently released support for passkeys, which offer more convenience compared to physical YubiKeys.
However, Tom D’Eletto, the head of product at Arculus, a crypto security platform, states that while software passkeys are a step in the right direction, a hardware-bound passkey is the gold standard for security. Arculus has implemented its own FIDO2-certified keys in the form of a metal credit card. This hardware-bound passkey provides a familiar user experience and secure authentication.
It’s important to note that YubiKeys and similar physical devices do not hold a user’s wallet or private key. Instead, they are used by wallets or exchanges to authenticate the user and authorize transactions. While they can protect against phishing attacks and mitigate end-user account takeovers, they cannot safeguard against crypto exchange hacks. Therefore, it is advisable for crypto users to consider using hardware wallets to store their funds securely. Singapore authorities have also recommended the use of hardware wallets to protect against wallet drainer attacks. However, hardware wallets come with their own challenges, as the loss of private keys can result in the permanent loss of funds. In such cases, having a YubiKey associated with a Coinbase account can be beneficial, as users have a method to regain account access even if they lose their YubiKey device.