Verification Code
۱۴۰۵/۱/۲۷
Verification code is a short one-time code (usually 6 digits) used to prove that a user controls a specific device, phone number, or account. Crypto exchanges, wallets, and mining pools use verification codes as a second factor beyond a password — known as 2FA (two-factor authentication).
Types of verification codes
TOTP (Authenticator apps)
Generated locally by apps like Google Authenticator, Authy, or hardware tokens. Based on the TOTP standard (Time-based One-Time Password) — the code rotates every 30 seconds using a shared secret established at setup.
- Strong — code generation happens offline; no intermediary can intercept
- Recommended as the default 2FA method on most exchanges
SMS codes
Sent to the user's phone number via text message.
- Weak — vulnerable to SIM swap attacks, where an attacker convinces a carrier to transfer the victim's number to a SIM they control, capturing all incoming codes
- Multiple high-profile crypto losses have started with SIM swaps
- Avoid SMS 2FA if an alternative is available
Email codes
Sent to the user's registered email address.
- Only as secure as the email account itself — if email is compromised, so are the codes
- Often used for one-off actions (password reset, new-device login) rather than every login
Hardware security keys (Passkeys, U2F, WebAuthn)
Physical devices (YubiKey, Titan) that sign a cryptographic challenge. Strongest option — not a code at all, and immune to phishing.
Anti-phishing codes
Many exchanges offer an anti-phishing code — a personal string you configure that appears in every legitimate email they send you. If an email claims to be from the exchange but the anti-phishing code is missing or wrong, it's a phishing attempt.
Rules of thumb
- Prefer TOTP or hardware keys over SMS
- Never share a verification code with anyone — support staff will never ask for it
- Back up 2FA seeds when setting up TOTP (many apps offer encrypted cloud backup)
- Enable withdrawal whitelists on exchanges as an extra layer
