Skip to main content

What is a Two-factor token (2FA)?

  • Updated

wo-factor authentication (2FA) is an extra security layer that verifies your identity when logging into your BitMEX account. With 2FA enabled, you must verify through a second device alongside your password. That second device is either an authenticator app that generates a time-based code or a hardware security key that you physically touch. Even if your password is stolen, unauthorised access is blocked without that second step.

 

How does 2FA protect my BitMEX account?

Two-factor authentication (2FA) requires two separate verification steps to access your BitMEX account. The first factor is something you know: your password. The second factor is something you physically have: a mobile device running an authenticator app, or a hardware security key such as a YubiKey. 

Attackers who obtain your password through phishing, data breaches, or credential stuffing still cannot access your account. Without physical possession of the registered device, the second verification step cannot be completed. On BitMEX, 2FA protects more than just login. Two-factor authentication is also required every time you submit a withdrawal request, ensuring that funds cannot leave your account without verification from your registered device.

 

What types of 2FA does BitMEX support?

BitMEX supports two types of two-factor authentication: Hardware-based authentication via YubiKey and TOTP (Time-based One-Time Password).

(Recommended) YubiKey hardware keys use the FIDO U2F or WebAuthn protocol. Instead of entering a code manually, you physically tap the YubiKey when prompted by your browser. The key performs a cryptographic verification directly with BitMEX, binding authentication to the genuine BitMEX domain. This makes YubiKeys highly resistant to phishing because the hardware will refuse to complete the verification on a fraudulent domain. For instructions on setting up either method, refer to the How do I enable 2FA? guide.

TOTP authenticator apps such as Google Authenticator or Authy generate a six-digit code that refreshes every 30 seconds. When logging in or submitting a withdrawal, you enter the current code displayed in the app. The 30-second expiry window ensures the code is only valid for a short time, significantly limiting the window of opportunity for an attacker to use an intercepted code.

Related articles

This website is operated by HDR Global Trading Limited, a company incorporated under the International Business Companies Act of 1994 of the Republic of Seychelles with a company number of 148707 and registered address at Global Gateway 8, Rue de la Perle, Providence Mahé, Seychelles (“HDR”). HDR wholly owns BitMEX, a Bitcoin-based trading platform.


Access to trading or holding positions on BitMEX is prohibited for any person or entity that is located, incorporated or otherwise established in, or a citizen or a resident of: (i) the United States of America, Québec (Canada), the Hong Kong Special Administrative Region of the People’s Republic of China, the Republic of Seychelles, Bermuda, Cuba, Crimea and Sevastopol, Iran, Syria, North Korea or Sudan; (ii) any state, country or other jurisdiction that is embargoed by the United States of America; or (iii) any other jurisdiction where the services offered by BitMEX are restricted (collectively “Restricted Jurisdictions”). If it is determined that any BitMEX user has given false representations as to their location, incorporation, establishment, citizenship or residence, or HDR detects a user is from a Restricted Jurisdiction as described above, HDR reserves the right to immediately close their accounts and liquidate any open positions. HDR may, in its sole discretion, implement controls to restrict access to the BitMEX trading platform in any of the Restricted Jurisdictions.