Binance Account Security Checklist: 12 Essential Settings You Must Review
Reviewing these 12 security settings can block 95% of phishing, credential stuffing, and API abuse attacks. This guide provides an execution order based on risk levels.
Most Binance account thefts stem from minor oversights. Before starting, ensure you are on the Binance Official Website. After downloading the Binance Official App (see the iOS Installation Guide for iOS users), perform the following 12-step security audit.
Security Checklist (By Priority)
| # | Item | Risk Level | Est. Time |
|---|---|---|---|
| 1 | Independent Email + Strong Password | High | 5 min |
| 2 | Authenticator + Backup Codes | High | 5 min |
| 3 | Passkey or Hardware Security Key | High | 10 min |
| 4 | Anti-Phishing Code | High | 1 min |
| 5 | Withdrawal Whitelist | High | 5 min |
| 6 | Device Management Audit | Medium | 2 min |
| 7 | API Key Audit | Medium | 5 min |
| 8 | Sub-Account Permissions | Medium | 5 min |
| 9 | Third-Party App Authorizations | Medium | 3 min |
| 10 | Email Filter Rules Check | Medium | 2 min |
| 11 | Browser Extension Audit | Low | 5 min |
| 12 | OS and Software Updates | Low | 30 min |
Total time: ~1 hour. It is recommended to perform this audit monthly.
1. Email Security
Your email is the "vital spot" of your Binance account. If your email is compromised, your account is already halfway lost.
Requirements:
- Use a dedicated email solely for Binance and crypto assets.
- Use a password with 16+ characters, including upper/lower case, numbers, and symbols.
- Enable 2FA on the email account itself.
- Avoid using school or corporate emails (which may be deactivated after graduation or resignation).
2. Google Authenticator (TOTP)
When setting up 2FA, you must:
- Screenshot and save the 16-digit recovery key.
- Write the key on an offline piece of paper.
- Install the app on two separate phones if possible. This prevents the headache of account recovery if you lose your primary phone.
3. Passkey or Hardware Security Key
YubiKey, Titan Key, and Apple Passkeys are physical or system-level 2FA methods that are much harder to phish than standard TOTP codes. Go to Binance → Security → Passkeys → Add. This one-time setup provides long-term protection.
4. Anti-Phishing Code
An Anti-Phishing Code is a custom string that Binance includes in every official email it sends you. For example, if you set it to "My Dog Charlie," every genuine email will contain that phrase. If it’s missing, the email is a fake. Setup: Security → Anti-Phishing Code → Enter a unique string.
5. Withdrawal Whitelist
Enable "Whitelist Only" and add your frequently used withdrawal addresses. Even if an intruder gains access to your account, they can only send funds to your pre-approved wallets. Note: New addresses have a 24-hour cooling-off period before they can be used.
6. Device Management
Go to Security → Device Management. Remove any devices you no longer use:
- Old phones or tablets.
- Computers used by friends or family.
- Former work laptops. Keep only 2-3 devices that you use daily.
7. API Key Audit
Go to API Management and list all active keys. For each key:
- Delete any that are no longer in use.
- Minimize permissions (disable Futures and Withdrawal permissions by default).
- Always bind an IP Whitelist.
8. Sub-Account Permissions
If you use sub-accounts for strategy isolation, ensure:
- Withdrawal functions are disabled.
- API keys have independent permissions.
- Each sub-account uses a separate email if applicable.
9. Third-Party App Authorizations
Review the list of apps authorized via OAuth and remove:
- Old copy-trading platforms.
- Testing bots you no longer use.
- Old mobile apps you have already uninstalled.
10. Email Filter Rules
Intruders often set up forwarding rules in your email to hide security alerts. Check your Email Settings → Filters and delete any suspicious "Auto-Delete" or "Auto-Forward" rules that target Binance emails.
11. Browser Extension Audit
Extensions are common vectors for credential theft. Audit your extensions:
- Are there any copycat versions of popular tools?
- Are the download counts and reviews genuine?
- Are the permission requests reasonable? Delete any unused or suspicious extensions immediately.
12. Operating System Updates
Vulnerabilities in outdated systems can be exploited by malware to steal keystrokes, clipboard data, or browser passwords. Keep Windows, macOS, Android, and iOS updated to the latest versions. Enable real-time protection in your antivirus (Windows Defender is usually sufficient).
Extra Security for High-Net-Worth Accounts
If your assets exceed 5 figures (USD), consider these additional steps:
| Enhancement | Description |
|---|---|
| Cold Wallet Storage | Keep the majority of your funds in cold storage; use the exchange only for active trading. |
| Dual Hardware Keys | Have a primary and a backup YubiKey. |
| Dedicated Trading PC | Use a "clean" laptop solely for trading and email access. |
| Fiat Account Isolation | Use a specific bank card only for P2P/Fiat transactions. |
| Monthly Audit | Mark the 12-step checklist on your monthly calendar. |
Emergency Protocol (If Compromised)
- Change your password immediately.
- Reset 2FA.
- Revoke all API keys.
- Clear your withdrawal whitelist.
- Contact customer support to freeze your assets.
- Gather evidence and submit a support ticket.
- File a police report. The first 2 hours are the "Golden Window." After 24 hours, fund recovery becomes extremely difficult.
FAQ
Q: What if I lose my hardware security key? A: You can use a backup key or go through the email + identity verification recovery process. This is why having two bound keys is critical.
Q: Is it safe to use a password manager for Binance? A: Yes. Audited tools like 1Password or Bitwarden are safe, provided your master password is strong.
Q: Can I access Binance on public WiFi? A: It is risky. Use a 4G/5G connection or your home WiFi for important operations.
Q: What if my phone is stolen? A: Remote-lock the device, report the SIM card as lost to your carrier, and immediately log into Binance from a PC to revoke the stolen device's access.
Q: Can my Anti-Phishing Code be the same as my password? A: No. It appears in the body of emails and should never be sensitive information.
Further Reading
Security is not a one-time task; it is a monthly habit. Taking the time to run through these 12 items will make your account safer than 99% of other users.