This post walks through some of the general safety features on FTX US. It is not an exhaustive list.
Personal Account Security
Password Strength and 2FA Requirement
When registering an account at FTX US, we require a password that contains a combination of numbers, letters, special characters and no predictable patterns on every account. We do not allow for registration without the password being compliant.
We require a mandatory 2FA setup to transact in anyway on any created account. This will be a prompt and you can also find it at ftx.us/profile.
2FA for Withdrawals & Withdrawal Passwords
We firmly believe in protecting all withdrawals. We start at a practical level by allowing users to activate a dual security layer: 2FA and separate password for all withdrawals. Find both of these settings at ftx.us/profile.
Withdrawal Lock After 2FA Removal or Password Change
After an account status change such as:
- 2FA Removal
- Password Change
We may lock withdrawals on the account for at least 24 hours.
Tracking and Notifying Users of Suspicious Activity
When we see an unusual login attempt on an account, even if it is just the Username and Password without the 2FA, we may still notify the owner of the account so that they can take the necessary precautions.
Additional Security Features
Subaccount Login Functions
FTX US now allows you to create custom logins! With them, you can allow other people to log into your account with configurable permissions.
Creating a login
Go to your Settings page, scroll down to the Account Security section, and click the Custom Logins tab.
You'll see a form that lets you create a login with permissions. Each login has a name and password, and you can specify the following permissions:
- Subaccount: You can restrict the login's access to only one subaccount, or let it access all accounts.
- Read-Only: Read-only logins can't take actions on the site (e.g. cannot trade, withdraw, transfer), but can view and download things such as trade history.
- Can Withdraw: Whether or not this login is allowed to withdraw on the blockchain, to OTC, or transfer between subaccounts.
Using a login
There are two ways to authenticate with a custom login (Password requirements still hold):
1) You can go to the URL next to the login you want to use (click the Copy button next to it), and the login form at that URL will be pre-populated with a code that corresponds to that login.
2) You can go directly to https://ftx.us/login and enter your account email (used for your main login), the custom login name, and your password.
When non-read-only logins are created, their 2FA is set to that of the main login. You may change their 2FA using the Login Settings section on the settings page when logged in to them. Read-only logins do not require 2FA.
Only the main login can change withdrawal password settings, change if withdrawals require 2FA, reset the main login password, and manage other logins.
Custom logins are compatible with FTX US OTC. Only those with no subaccount restriction are allowed access to OTC. The other settings (read-only, withdrawal-enabled) also apply when using FTX US OTC.
To use them for OTC, you need to first log in to FTX US using the above methods and then can visit https://otc.ftx.us/.
Deleting a login
If you want to delete a permission login, you can click the trash can icon in the Login table on your settings page. Doing so will remove access for anyone currently logged in and using it.
When setting up your API Keys in ftx.us/profile we allow you to determine the security permissions.
- Withdrawals enabled
- Internal transfers enabled (between subaccounts)
- IP whitelist (API Key only usable from specified IP)
Whitelisting Wallet Addresses
A white listed address requires that all withdrawals go to predesignated whitelisted addresses.
You can whitelist addresses saved to your main account from the Saved Addresses page. Doing so requires 2FA and withdrawal passwords, if enabled. After submitting an address for whitelisting, you will be notified via email, and the address will be usable after a configurable delay. You can also elect to only allow FTX US admins to whitelist addresses for your account (limited to clients in VIP1/MM1 or higher).
Disabling this setting or reducing the whitelisting delay requires contacting an FTX US admin.