Providing secure storage of bitcoin is one of the most important products we offer at Coinbase. In that vein, we’d like to mention some new security features that we’ve added:
Improved Offline Storage Of Bitcoin
As you may have read previously, we keep most customer bitcoin disconnected from the internet in what we call “cold storage”. Over the past few months, we have spent time improving both the security of those coins and the percentage of coins held offline.
First, we have implemented a key splitting scheme and geographically distributed the shared pieces to various safe deposit boxes and vaults around the world. This ensures that keyholders are never geographically located in the same place during the course of normal events, so there can’t be a single point of failure for compromise. It also ensures keys are protected against loss since the data is backed up with redundancy. For more on our cold storage security you can visit our security page.
Second, we have been able to increase the overall percentage of bitcoin stored offline. While previously we were able to keep approximately 90% offline, we are now able to keep as high as 97% of funds offline. The exact amount changes on a day to day basis, but this additional layer of security is important to use as broadly as we can.
Requiring Two Factor Authentication On Send (and other actions)
Most of our users already have a phone added to their account, which gives them two factor authentication. This requires a verification code from your phone, in addition to your regular password, to sign in.
Two factor authentication on sign in offers an important layer of protection, but doesn’t cover the case where someone might gain access to your computer after you’ve already signed in (say you walk away from your desk without locking the screen, or someone is able to capture your session token).
So to solve this, we now require two factor authentication when you send more than a certain amount out of your account per day. For example, if you try and send more than $100 worth of bitcoin in a 24 hour period, you will now be asked to enter your two factor verification code. The exact threshold or amount may change over time, but this security feature should provide a nice additional layer of protection.
In addition to requiring two factor on send, we have also added two factor around various other sensitive actions on Coinbase, including:
- Recurring sends
- Enabling/disabling your API key
- Changing your password
- Changing phones on your account
- Changing your Google Authenticator settings
- Changing your SMS pin number
Note: Two factor verification does not apply to Coinbase access via the API key or via OAuth. So you still need to be careful with not leaking your API key and only authenticating trusted applications via OAuth.
Audit Trails And Open Sessions
It can sometimes be helpful to see recent activity of your account, and how many sessions you have open. You can now keep track of your account activity and session history from the activities page. The activity page lets you view most actions that have been taken on your account, when they took place, from what IP address, and from what interface (e.g. “Web” or “API”). You can also see open sessions on your account and sign out other sessions that may have been accidentally left open.
Security is something we take seriously at Coinbase and that we’ll continue to improve over time. We already have two or three other projects in the pipeline. We welcome all suggestions from the community, and have an active community of security researchers who we collaborate with to keep Coinbase safe. We’ll continue to update you as we make progress on this important area of the platform.