Login
Security · Feb 2026

Hardware-key 2FA is now the default for new accounts

Jonas Kessler, Head of Security · 2026-02-19 · 4 min read

1. The change

From 2026-02-19, the signup flow on bitexasia.com asks new users to register a FIDO2 hardware key (YubiKey, Solo, Titan, or platform authenticator like Touch ID / Windows Hello) before SMS or TOTP. SMS remains available as a fallback for accounts under $10,000 in equivalent value, but it is no longer the path of least resistance.

2. Why this matters

Through 2025, every successful account-takeover incident on the platform involved either (a) SIM-swap on an SMS-protected account or (b) phishing landing-page that fooled a user into typing their TOTP code into a fake login. Zero incidents involved an account where the only second factor was a hardware key. FIDO2's signature is bound to the website's origin — a phishing page at bitexasia-secure.com cryptographically can't reproduce a valid signature for bitexasia.com.

3. What signup looks like now

Step 1 — Verify email

Same as before. Click the verification link.

Step 2 — Add a security key

Browser-native WebAuthn prompt. Plug in a YubiKey, tap it. Or use platform authenticator (Touch ID, Face ID, Windows Hello). Cost zero, ~5 seconds.

Step 3 — Optional fallback

If you want SMS as a backup, you can add it now. We strongly recommend at least two FIDO2 devices instead — a backup key in a drawer beats a phone you might lose along with the primary.

Step 4 — KYC and payment method

Identity verification and payment connection happen after the security setup. This is deliberate — your security setup shouldn't be a footnote.

4. What about existing accounts?

Existing users keep whatever 2FA they had. We're rolling out a soft prompt on next login that walks through hardware-key registration as a one-time upgrade. Accounts with balances above $10,000 get a stronger nudge: a banner on every login until they either add a hardware key or explicitly dismiss it.

We're not forcing anyone off SMS yet. Forced upgrades on a security control tend to push the user-base toward the path of least resistance even when it's a bad path. The right move is to make the better path easier than the worse one.

5. We don't sell hardware keys

FIDO2 is an open standard. Any compliant key works. If you need a recommendation: YubiKey 5 series ($45–60) or Solo 2 ($60). Don't buy from us — we don't sell them, and we don't take a cut from any vendor. Buy direct.

6. Metrics we'll watch

  • FIDO2 adoption rate on new accounts (target: >85% within 90 days).
  • Account-takeover incident rate (baseline 2025: 0.04 incidents per 10k MAU per month).
  • Support ticket volume for "lost 2FA, can't log in" — we expect this to go up briefly as people lose hardware keys, then plateau as the recovery flow matures.

We'll publish a 90-day follow-up.

Security guides on the platform are in the FAQ under "How do you secure customer assets?". Related: how we publish incident post-mortems, external penetration test results. For all blog posts, see the blog index.