Train, Build & Execute

Basic Security — Start safe with MFA/TOTP, Passwords & Anti‑Phishing

Read time: 6–9 min • Category: Operational Security

First steps to keep your crypto accounts safe: MFA/TOTP or passkeys, strong passwords, anti‑phishing and seed/backups.

0) What you will ensure

Before going serious with crypto, let's lock down your accounts: enable MFA (TOTP or passkeys), use strong unique passwords, and apply anti‑phishing best practices. Goal: minimize the chance of account takeover.

---

1) MFA without headaches (order of preference)

• Passkeys / Security keys (FIDO2/WebAuthn) — the safest and simplest when available.
• TOTP (30‑second codes in an app like Authy / Google Authenticator) — great alternative if passkeys are not available.
• SMS — avoid when possible (least secure).

Enable first on: primary email, exchanges and your password manager.

---

2) Passwords (the basics that work)

• Use a password manager (it stores and creates passwords for you).
• Create long unique passphrases (never reuse between services).
• Update old/weak logins. Turn on MFA on the password manager too.

---

3) Device hygiene (avoid nasty surprises)

• Keep OS and apps updated.
• Avoid unnecessary browser extensions.
• Separate contexts: use a profile/browser just for crypto.
• If you use a hardware wallet, confirm the address on the device screen before sending.

---

4) Practical anti‑phishing

• Enable the exchange's anti‑phishing code (visual check for official emails).
• Never log in through links in emails/DMs: type the domain or use a bookmark.
• Be skeptical of urgency and “giveaways”. Always confirm directly in the official app.

---

5) Seed, backups and test (for self‑custody)

• Seed offline (paper/metal). Never cloud or screenshots.
• Keep two copies in different, protected places.
• Run a recovery test (restore in a safe environment and verify everything) before moving larger amounts.

---

6) Quick step‑by‑step (checklist)

1. Enable passkeys or TOTP on email, exchanges and password manager.
2. Turn on the exchange anti‑phishing code and login alerts.
3. Set up the password manager and replace weak/duplicated passwords.
4. Update devices, clean extensions, and create a dedicated profile for crypto.
5. Organize seed & backups and run a recovery test (if self‑custody).

More on cryptoslug.pt — Gunbot strategies, automation & discipline.