Secure Login • Coinbase Pro

Best practices for signing in to Coinbase Pro (Coinbase Advanced) and keeping your account secure.

Introduction — security is layered

Coinbase Pro provides robust platform controls, but account safety depends on both platform features and user behavior. A layered approach — strong passwords, two-factor authentication (2FA) or hardware security keys, careful API key management, session reviews, and anti-phishing practices — dramatically reduces the risk of unauthorized access and financial loss.

The guidance below focuses on practical steps you can take right away to harden login flows and protect assets on both personal and institutional accounts.

1. Use a strong, unique password

Your password is the first line of defense. Use a long passphrase or a randomly generated password with a password manager. Avoid reusing passwords across sites. If an attacker obtains credentials from another site, reused passwords make account takeover trivial.

Prefer a password manager to create and store complex passwords.
Enable automatic form-filling only on trusted machines.
Rotate passwords if you suspect a breach on any service where you used the same password.

2. Two-factor authentication (2FA) — enable it

2FA adds a second factor to login, significantly reducing the chance an attacker can sign in with only a stolen password. Coinbase Pro supports (or recommends) authenticator apps (TOTP) and WebAuthn / hardware security keys for the strongest protection.

Preferred 2FA methods

Hardware security keys (WebAuthn/FIDO2): The strongest, phishing-resistant method. Use a reputable key (e.g., YubiKey) and register multiple keys in case one is lost.
Authenticator apps (TOTP): Google Authenticator, Authy, or similar — provides time-based codes. Store backup recovery codes offline.
SMS (least preferred): Better than nothing but vulnerable to SIM-swapping; use only as a backup if no other options are available.

Practical tip: Register at least two 2FA methods — for example, a hardware key plus a TOTP app — so you can recover if one method is unavailable.

3. Use hardware security keys for phishing resistance

Hardware keys implement public-key cryptography and the WebAuthn standard, which prevents credential theft via phishing because the key will only authenticate the origin that registered it. If possible, register your hardware key as your primary login factor and keep a backup key securely stored.

Store the backup key separately (e.g., in a secure home safe or a safe deposit box).
Label keys clearly and test backup keys before relying on them for account recovery.
Watch for prompts that ask for credentials on unfamiliar pages—hardware keys will not sign for an origin you did not register.

4. API keys — least privilege and rotation

If you use Coinbase Pro APIs for bots or integrations, apply the principle of least privilege. Create separate API keys for different bots with only the scopes they need (e.g., read-only vs trading). Avoid enabling withdrawal permissions for keys unless absolutely necessary.

Use IP whitelisting where available to limit which hosts can use the API key.
Rotate API keys regularly and revoke keys immediately if an integration is compromised.
Store API secrets in vaults or secret managers—not in source code or public repositories.

5. Session & device management

Regularly review active sessions and trusted devices in your account settings. Revoke sessions you do not recognize and sign out of devices you no longer use. For shared or public machines, always sign out and clear browser caches.

Check recent login activity and IP geolocation if something looks suspicious.
Enable email or push notifications for new device logins if supported.
Use browser profiles and avoid saving passwords on public devices.

6. Phishing & social engineering defense

Phishing is the most common way attackers harvest credentials. Train yourself to verify URLs, certificates, and sender addresses. Never enter credentials or 2FA codes on a page reached from an unsolicited email or chat message.

Manually type or bookmark the official Coinbase Pro URL—do not follow links from emails unless you can confirm the sender and context.
Check for HTTPS and a valid certificate; look at the domain name carefully for impersonation (homoglyphs).
Be wary of urgent account messages that pressure you to act—scammers use fear to bypass good judgment.

Coinbase Pro support will never ask for your password, 2FA codes, API secrets, or private keys. If someone requests these, stop and report the incident immediately.

7. Account recovery & emergency steps

Plan for account recovery in case of lost 2FA devices or hardware keys. Store recovery codes offline and maintain secure contact details on your account so support can verify identity if needed.

If you lose access to your 2FA method, use any saved recovery codes first.
If recovery codes are not available, follow Coinbase Pro's documented account recovery flow—expect identity verification steps (ID documents, selfies, and timestamps).
In case of confirmed compromise, immediately rotate passwords, revoke API keys, deauthorize sessions, and contact support with details and timestamps.

8. Institutional & multi-user considerations

For institutional accounts, use role-based access controls, multi-user approvals, and corporate key management. Separate duties between traders, auditors, and administrators. Use enterprise-grade security features such as SSO, hardware-backed keys, and custody integrations for very large balances.

Implement change control and audit trails for API key creation and permission changes.
Adopt multi-approval workflows for withdrawals and large transfers.
Consider third-party custody or multisig solutions for large long-term reserves.

9. Troubleshooting common login issues

Forgot password: Use the "Forgot password" flow and verify via your email. If email access is lost, contact support with identity proof.
2FA device lost: Use backup recovery codes or registered backup keys. If unavailable, start account recovery.
API errors: Check key scopes, rate limits, and IP whitelists. Rotate keys if you suspect leakage.
Suspicious activity: Change passwords, revoke sessions and keys, and contact support with timestamps and device details.

FAQ

Is SMS-based 2FA secure?: SMS is better than nothing but vulnerable to SIM-swapping. Use authenticator apps or hardware keys for stronger protection.
How do I register a hardware key?: In Security settings, choose WebAuthn / Security Keys and follow prompts to register your device. Register a backup hardware key as well.
Can I restrict API keys by IP?: Yes—where supported, use IP whitelisting to restrict which hosts can use a given API key. This reduces risk if a key is leaked.

Quick actions

Head directly to key security pages from your account dashboard.

Secure my account now

Security checklist

Use a unique password stored in a password manager
Enable hardware keys or authenticator app for 2FA
Register a backup 2FA method and store recovery codes offline
Apply least privilege to API keys and rotate them regularly
Review sessions and revoke unfamiliar devices
Be vigilant against phishing—verify URLs and emails

Support & reporting

For suspected compromise or urgent issues, gather timestamps, device details, and any relevant TXIDs. Contact Coinbase Pro support using official channels and follow their incident guidance.