At launch in 2013, BitGo was one of the first Bitcoin companies to enforce mandatory 2-factor authentication (2FA) for all users. The goal of 2FA is to improve security over simple passwords by introducing a second device to identify a user.
Although there are many superior forms of 2FA, the most popular method remains as SMS. SMS is easy to setup since most everyone has a cellphone and also because no app installation is required.
Unfortunately, because SMS is tied to your phone, SMS based 2FA is only as secure as your phone. In the last few months, BitGo has become aware of dozens of examples of a new security threat: phone hijacking. Unfortunately, cell carriers are not adequately securing our accounts, and hackers have learned how to easily trick the carriers into porting your phone number to the attacker. Once the attack is executed, the attacker can now receive your SMS-based 2FA, and potentially steal your Bitcoins (as well as likely gain access to your email and any other services protected with weak, SMS-based 2FA). The rising incidents of phone hijacking has also been witnessed at Coinbase and at Kraken.
As of this writing, BitGo internal policies ban all SMS based 2FA for employees. We’ve disabled all uses of phones as recovery or backups for all employees’ work and personal email accounts, as well as for any BitGo related services.
Additionally, effective immediately, BitGo has withdrawn SMS as a 2FA method for all new user signups. New users must use client-side 2FA systems such as TOTP with Google Authenticator.
If you’re an existing BitGo user using SMS 2FA, you can continue to use it. However, we strongly recommend that you migrate to alternate methods as soon as possible. If you’re also using SMS 2FA outside of BitGo for your email accounts or as a “backup device”, we strongly recommend that you remove those as well.
Please let us know if you have comments or concerns; your security is always our top priority.