Safety & FAQ

Binance Account Security: Set Up 2FA, an Anti-Phishing Code, and Device Management

Cover image for the Binance account security setup guide

There is a blunt saying in crypto circles: when coins go missing, the platform is usually not the one to blame. In most of the theft cases you hear about, the attacker walks off with a key the user handed over, a password reused from somewhere else, or a verification code read aloud to a "support agent," rather than breaking into the exchange's servers. Put another way, whether your account stays safe is mostly a decision in your own hands.

This guide runs through every protection a Binance account should have switched on: two-factor authentication, an anti-phishing code, device management, a withdrawal whitelist, and password hygiene, plus a short emergency checklist for the day something does go wrong. The whole set takes about twenty minutes. If you have just registered and configured none of it yet, do it now, so your defences are in place before your money is.

Why do stolen accounts almost always belong to unprotected users?

The direct answer: the common theft methods are phishing and credential stuffing, and both go after the person, not the platform's servers. Once you grasp that, you know where the wall needs building.

Phishing is a scammer posing as Binance in an email or a text, steering you to a near-perfect fake site where you type in your password and verification code. Credential stuffing is an attacker taking the email-and-password pair you leaked on some other website and trying it here, one account at a time. If you have ever reused one set of credentials on any small site, that door can open. Add fake apps and fake support agents asking for codes, and most theft cases need no hacking skill at all.

The platform itself has certainly had incidents: in 2019 Binance really was hacked for around 7,000 bitcoin, with the loss absorbed by the platform, a history we go through in detail in is Binance safe. But that is a low-frequency event. For an ordinary user, the high-frequency threats are the ones above, each aimed straight at you, and every one of them has a matching switch you can flip to shut it out.

Two-factor authentication (2FA): an authenticator app is the floor

Two-factor authentication is the first hard gate on an account: with it on, a password by itself will not get anyone in. Our advice is plain. Link at least one authenticator app, and do not lean on SMS alone. The setting lives under "Account, then Security" in the app, and the methods are not equally strong.

Screenshot of the Binance Academy home page
Binance Academy: 2FA, anti-phishing, and other security topics all have free courses, so you can pick up the reasoning while you finish the setup (captured from academy.binance.com).
MethodStrengthNotes
PasskeyHighTies to a device fingerprint or face, the strongest against phishing
Authenticator appHighGenerates codes locally, off the network; everyone should turn this on
SMS codeMediumExposed to SIM-swap and real-time relay, so keep it as a backup only
Email codeMediumOnly as strong as the inbox itself, so protect the email with 2FA too

Why an authenticator app beats SMS

An authenticator's rotating code is generated on your phone, refreshes every thirty seconds, and never passes through a carrier or the network, so a scammer cannot intercept it. SMS has two soft spots. One is the SIM-swap, where an attacker takes over your phone number through a replacement-SIM trick and the code drops straight into their pocket. The other is real-time relay, where the SMS code you type on a phishing site is used on the real site within seconds. Leave SMS as a backup and give the lead role to the authenticator.

The recovery key: write it on paper, put it in a drawer

When you link the authenticator, the page hands you a string called the recovery key, and it is your way back in if the phone is lost. Copy it onto paper and store it somewhere only you know. Do not screenshot it into your photo roll or upload it to cloud storage, which is the equivalent of leaving the spare key in the lock.

Move the authenticator before you switch phones

Migrating the authenticator while the old phone is still in your hand is the cheapest time to do it. Google Authenticator can export your accounts as a QR code for the new phone to scan, or you can re-link on the new phone with the recovery key. If the phone is already gone and you never copied the key, your only option is Binance's appeal process to reset 2FA, which needs a face scan to confirm your identity, limits withdrawals while it is reviewed, and can drag on for a few days.

Anti-phishing code: one minute to set, and fake emails show themselves

An anti-phishing code is a short string of characters you choose yourself. Once it is set, every official email Binance sends you carries it in a prominent spot, and any "Binance email" without that string should be treated as phishing.

The mechanism is charmingly simple: a scammer can forge an email template identical to the official one, but does not know the few characters you chose, so telling a real email from a fake one becomes a matter of matching a password, and a mismatch means it is fake. The path is Account, then Security, then Anti-Phishing Code. Pick a phrase that has nothing to do with your personal details but that you will recognise at a glance, and steer clear of a birthday or the spelling of your name.

Two boundaries are worth stating. The anti-phishing code applies to email only, not to text messages, and it guards against the single trick of an email impersonating Binance, doing nothing against fake support, fake airdrops, and other scams. The full field guide is in our scam prevention guide.

Device management and the withdrawal address whitelist

These two switches point in different directions: device management decides who can log in, and the withdrawal whitelist decides where coins can go, and together they squeeze the loss from a breach down to the smallest amount.

The authorized-devices list: sweep it periodically

The path is Account, then Security, then Device Management. The list holds every device that has logged into your account. Check each model and login region one by one, and for anything you do not recognise, revoke its authorization at once and change your password immediately, because an unfamiliar device showing up here usually means someone logged in successfully with your password. Make it a habit: after any new device signs in, and every month or two, come here and sweep the list.

The withdrawal address whitelist: the last lock on your assets

With the whitelist on, the account can only send crypto to addresses you added and verified in advance, a new address has to clear email and 2FA confirmation, and there is usually a waiting period before it takes effect. Its value only shows in the worst case: even if a scammer completely takes over your account, they cannot send coins to an address of their own. Users who withdraw to a fixed wallet often, or who hold a larger amount, should turn it on, while a small new account can wait until the balance grows. The full withdrawal flow is in our withdrawal guide.

Password hygiene: unique, long, handed to a manager

There is only one hard rule about passwords: your Binance login password must be unique, shared with no other site. That matters more than how complex it is.

The raw material for credential stuffing is precisely the password dumps leaking out of assorted small sites, so however complex a password is, once it is reused its security is tied to the least secure site you ever put it on. The easiest way to handle this is a password manager: use a tool like Bitwarden or 1Password to generate and store a random password of sixteen characters or more, and you never have to remember it yourself.

One point people often miss: the email you used to register Binance should have 2FA turned on too, because the inbox is the root of every account, and once the root is pulled, every protection downstream loosens with it.

If your account is compromised: four moves, right away

The moment you notice something off, an unexplained withdrawal email, an alert about a login from an unfamiliar device, a password that suddenly does not work, do four things in order, because speed matters more than anything:

  1. Freeze the account: the app's security page has an account-freeze entry (some versions call it "disable account"), and once frozen, logins and withdrawals both stop. Stop the bleeding first, investigate second.
  2. Change your password and reclaim your email: if the email might be compromised too, change the email password first and kick out any unfamiliar sessions there, then change your Binance password. Reverse that order and the whole effort can be undone.
  3. Revoke devices and authorizations: once unfrozen, go into device management and remove every unfamiliar device, then check whether anyone created API keys and delete all of them if so.
  4. Contact official support only: use only the live support inside the app or the official site (the entry is the Binance Help Center), give them the timeline and your evidence, and ask them to review the unusual activity.

Two reminders. First, while you are dealing with this, a "helpful stranger" will very likely message you offering to recover your assets, which is a second harvest aimed at you, so block them all. Second, to judge whether a support account or a website is really official, check it on the Binance official verification channel and you will have your answer.

TipIf you do not have an account yet and are about to open one, the order we suggest is: Sign Up on Binance (entering referral code BN03688 gives a fee discount, as shown on the sign-up page), complete identity verification, come back to this article and set up every protection, and only then make your first deposit.

Frequently asked questions

My phone with the authenticator app is gone. How do I log in?

If you wrote down the recovery key, install the authenticator on a new phone and re-link it with that key to get back in. Without the key, your only route is Binance's appeal process to reset 2FA, which needs a face scan to confirm your identity, and withdrawals are temporarily limited while it is reviewed. This is exactly why we keep pushing you to copy the recovery key onto paper.

Can I keep SMS and an authenticator app on at the same time?

Yes. Several verification methods can coexist, and sensitive actions may ask you to combine them. The principle is that the authenticator does the heavy lifting while SMS and email stay as backups, so your account is never sitting on SMS alone.

Do I need to change the anti-phishing code regularly?

No, not on a schedule. Only change it the moment you suspect it has leaked, for example if you logged in on a fake site by mistake, or you receive a suspicious email that somehow carries the correct code.

Can I still add new addresses after turning on the withdrawal whitelist?

Yes, you can add one any time, but a new address has to be confirmed by email and 2FA, and there is usually a waiting period before it can be used for withdrawals. That delay is part of the protection, giving you time to notice anything wrong, with the exact length shown live on the Binance page.

If my account is stolen, will Binance reimburse me?

Do not count on it. Theft caused by your own leaked password or verification code generally falls outside what the platform covers; the SAFU fund is aimed at platform-level security incidents. Setting up your defences beforehand is worth more than any remedy after the fact.

Once the security settings are in place, they sit there quietly until the day a supposed "official email" without the anti-phishing code lands in your inbox, and you are glad you spent these twenty minutes. If anything here was unclear, write to [email protected], and we read and reply to everything.

Done reading? Sign up for Binance and get 20% off fees

Register with our referral code BN03688 and get 20% off trading fees*. Tap the button below and the code comes along automatically.

BN03688
Sign Up with This Code

*Actual rate as shown on the Binance sign-up page and subject to change. See the affiliate disclosure.

Yizhou Xu

Lead writer at Mewbyt. In crypto since 2021, with enough tuition paid to the market to know where the potholes are. Every walkthrough here was done hands-on by us. If we got something wrong, call us out: [email protected].