2 Factor Authentication (2FA) adds a second, independent proof of identity to the login process, so that a stolen or guessed password alone is not enough to access an account. The first factor is something the user knows, the password; the second factor is something the user has or generates, such as a rotating six-digit code from an authenticator app, a hardware security key, or a one-time code sent by SMS.
On crypto exchanges, 2FA typically protects logins, withdrawals, and API key changes, since these platforms are high-value targets for attackers and, unlike a bank, offer little recourse once funds leave a wallet. Most exchanges use Time-based One-Time Password (TOTP) codes generated by apps like Google Authenticator, Authy, or 2FAS, refreshed every 30 seconds and calculated locally on the device rather than transmitted over the network.
SMS-based 2FA is the weakest common option, because it depends on the mobile carrier network and can be bypassed through a SIM swap, where an attacker convinces a carrier to move a victim's phone number to a SIM they control. TOTP apps close that gap but remain vulnerable to real-time phishing pages that relay a valid code within its short validity window. For that reason, security guidance increasingly favors FIDO2/WebAuthn hardware keys, which cryptographically bind the login to the legitimate domain and cannot be replayed by a fake site.
Losing access to a 2FA device without saved backup codes can permanently lock a user out of an exchange account, so most platforms require registering backup codes or a secondary method during setup.