Some of you have asked about using Bitcoin. Bitcoin has some amazing privacy advantages, but the process can be intimdating. Additionally, using Bitcoin requires giving up your bank account information which can be a scary prospect. Coinbase is an online Bitcoin wallet that makes using Bitcoin easy and intuitive. In Part I of this Coinbase review I am going to talk about the security of the service. Hopefully this will allay some of your fears about using Bitcoin. The next part will talk about actually using Bitcoin.
Coinbase doesn’t mess around with security. Strong usernames, strong passwords, and two-factor authentication are the norm with Coinbase accounts.
- Username: Because of the sensitivity of this account and the potential for fraud, I use a “real” email address (a ProtonMail alias). If you set this up and decide you don’t like your username, don’t worry – Coinbase will let you change it.
- Password: I have hit no meaningful password limit with Coinbase. I have used passwords in excess of 200 characters without issue. I recommend using the longest, strongest password you are comfortable with.
- Two-Factor Authentication: Coinbase also uses two factor authentication through Authy. NOTE: this is not your standard TOTP/OAUTH protocol, and you can’t use Google Authenticator – you MUST USE Authy.
- Email Authentication: Each time you log into your account from a new device you are authenticated through multiple means. First, you enter your username and password. Next, you will be prompted to enter a seven-digit code from Authy, assuming you have two-factor authentication enabled. If you are logging in from a new IP and/or browser, you will also have to login to your email from the same browser and verify that you are attempting to log in.
Combined, this would require an attacker to have access to your username and password, two-factor authentication token, and email account associated with Coinbase. This is a fairly high bar to pass, and makes me feel confident. The “vault” is another factor that makes me feel better about using the service.
Coinbase has two places where you can store your Bitcoin: the wallet and the vault. Funds stored in your Bitcoin wallet are available for immediate withdrawal. You can use the funds to make purchases. Because these funds are available for immediate use they are somewhat less secure, so it is not recommended that you store large amounts of Bitcoin in your wallet. Instead, you are encouraged to keep a small amount in your wallet available for purchase, and larger amounts in the vault for safekeeping. Bitcoins stored in the vault are much harder to access. Here’s why:
- First, you must login to Coinbase as outlined above. Next, you will go to your “Accounts” page and open the vault. If you wish to move money out of it you will request the amount, and to which account it will be going.
- Next, you will receive two emails, at two different email accounts. You must open click the verification link in both emails for the transaction to be approved. I strongly recommend you use two completely separate “real” email accounts – not Blur or 33mail addresses that forward emails to the same account. For my second account I setup a new, free Protonmail account that is used ONLY for this purpose. This will allow you to take full advantage of Coinbase’s vault security protocol.
- Once you have approved the transaction, a 48-hour hold is placed on the funds. At any time during this 48 hours you can cancel the transfer. This means that if someone gains access to your login credentials and both email accounts, you will still have 48 hours to find out about the breach and cancel the transaction before your Bitcoins are actually gone.
Coinbase Review Part I Wrap-Up
Part I of the Coinbase review has herely covered the security aspects of this service. I believe this is a hugely important aspect to cover. If people aren’t confident, they aren’t going to use the product, and Bitcoin does have a somewhat tarnished reputation. In part two of my Coinbase review I will talk about buying Bitcoin and using it to make purchases. Stay tuned!
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.