Two-Factor Authentication (2FA)

Oct 25, 2025
Share this article on social media
Image Description

We advise our users to install Authenticator apps (Google Authenticator, Microsoft Authenticator) as their primary 2FA method to secure their AX accounts from phone porting attacks. 

Two-Factor Authentication (2FA):

When you log in to any service in the cloud that’s storing anything of value (money, data, assets) it is crucial to have two factors. The first is something you know (a strong password) and the second is something you always have (like your mobile phone). Sending a 6 digit pin code via SMS to your mobile phone, allowed online services to verify during the login process that it was indeed you who requested access to the service.

It was intended for the second factor to be the physical device that you always have in your control. But, sending SMS to your phone actually verifies you have access to your phone number, not really your phone device. This distinction is really important as it turns out phone numbers can be stolen far more easily than physical phone devices.

Authenticator as your primary second-factor authentication:

We recommend all users, especially those with high balances or those more security conscious to install device-only 2FA apps which are also commonly referred to as Authenticator apps, examples being: Google Authenticator, Microsoft Authenticator, etc.

You have to first download the Authenticator app on your mobile device and then you would scan a QR code on AX’s security settings page. This QR code is essentially a secret key that is shared securely once between your mobile device and AX. The Time-based One Time Password (TOTP) protocol is then used to authenticate you every time you try to log in to AX. Next time you log in to AX and use your Authenticator app, the app will use the current time of day and the secret key to generate a 6 digit code. When you enter that 6 digit code on AX, we’ll check if it is valid by using the same parameters (current time of day and the secret key). You will notice that with this 2FA method, no data is ever shared over the air unlike SMS. Hence, it is much more secure to man-in-the-middle attacks.

For making future account recovery easy, we recommend users should note down the secret key that is generated after linking AX with their Authenticator app on a piece of paper or a USB key that should be kept offline. In a forthcoming release, we will have backup recovery codes and then we’d recommend you to write those down instead. Note that you are trading-off usability for security with this choice. So if you lose the device where you’ve installed the Authenticator app and do not have access to your secret key, then you’ll have to contact AX support. This is why it is important to write down the secret key and store it securely at the time of setting up Authenticator to avoid delays in account recovery later on.

We also support the use of Authy app, which instead of using the traditional QR code method to send you your secret key, uses an API to deliver the secret key securely to your device. Once you’ve installed Authy, we recommend disabling the Multi-device option. This means nobody can add a new Authy app to your account. Also pay attention to any emails or SMS messages you may get from Authy as they may communicate with you if they see someone trying to change your 2FA data.