Most beginners, the moment they finish signing up, head straight for the market page to figure out their first buy. I get the impulse, but if you actually rank things by importance, what to buy doesn't make the top three. A bad buy costs you one trade. An account that gets taken over costs you the balance and the account both. The first you can recover from over time; the second is usually one-and-done, and irreversible.

And the thing is, locking down your account has a very low bar: a few switches, fifteen minutes, and it stays in effect from then on. This piece lays out the three settings most worth turning on in Binance — two-factor authentication, an anti-phishing code, and a withdrawal whitelist — then adds a few habits that matter more than the settings, and finishes with a checklist you can tick off.

1. Why security comes before picking a coin

The logic is plain: security is your floor, returns are your ceiling. If the floor isn't solid, a high ceiling means nothing.

  • The downside isn't symmetric. Misread the market and you lose part of your capital, with a chance to earn it back. Get your account hacked and your coins moved out, and it's usually all of it, with no way to recover. Once an on-chain transfer confirms, there is no "undo" button.
  • Attackers don't care how much you know. Phishing, credential stuffing, fake support — these are cast wide. They don't pass you by just because you're new or your balance is small. If anything, beginners with no defenses set up are the easiest mark.
  • The cost is basically zero. These settings don't cost money and don't get in the way of normal trading. They're purely a lock on your account. There's no reason not to do them.

So even if you haven't decided what to buy today, it's worth finishing this page first and getting the locks on. We'll start with the most important one — two-factor authentication.

2. Two-factor auth: why an authenticator app beats SMS

Two-factor authentication (2FA) means that when you log in or withdraw, you enter a one-time code on top of your password. Even if your password leaks, a password alone won't get anyone in. Binance generally supports a few 2FA methods, but they differ a lot in how secure they are:

  • An authenticator app (such as Google Authenticator, or Binance's own Authenticator) — the first choice. It generates a six-digit time-based code locally on your phone, never touching the network or your mobile carrier. Without your phone, no one gets the code.
  • SMS codes — usable, but not your main line. An SMS code travels over the carrier's network, which exposes it to SIM-swap attacks (someone re-issuing your number) or interception. It's better than nothing, but clearly weaker than an authenticator.
The takeaway up front Turn on an authenticator app as your primary 2FA, and keep SMS as a backup at most. When you set up the authenticator, the system gives you a string of backup key (or a QR code) — be sure to write that key down offline and store it safely. If you lose your phone or switch devices, that's what recovers your access; without it you can lock yourself out.

The setup is usually under the "Security" settings of your account. For the exact steps and supported methods, go by the security-settings guidance in the Binance official help center. For how two-factor auth works in general, see the Wikipedia entry on multi-factor authentication.

3. Anti-phishing code: how to set it, what it stops

The anti-phishing code is a feature a lot of people have never heard of but is unusually useful. In your security settings you define a string of characters only you know, and from then on every official email Binance sends you carries that string in a prominent spot.

What does it stop? Fake emails. Scammers often use phishing to forge "official Binance" emails with alarming subject lines ("account anomaly," "verify immediately") to lure you onto a phishing site to enter your password. But the scammer doesn't know your anti-phishing code, so a fake email either won't carry the string at all, or will fill in the wrong one. So:

  • An email carrying your correct anti-phishing code is very likely a genuine official email;
  • An email without it, or with the wrong code, can basically be treated as phishing — delete it, and don't click any link.
One thing to watch when setting it Make the string easy for you to recognize, but don't use sensitive information like your password or birthday — it's just an "authenticity mark" in emails, not a password. Once it's set, get into the habit of checking every "Binance" email for the string first, and most phishing emails give themselves away on the spot.

Phishing runs a long line, and fake emails are just one link in it. We've written a separate piece on the matching fake apps, fake support, and fake airdrops — how to spot a fake Binance app, fake support, and fake airdrops — and it's well worth reading alongside this one.

4. The withdrawal address whitelist

The withdrawal whitelist (address management / withdrawal address whitelist) is the last and the hardest gate. Once it's on, your coins can only be withdrawn to addresses you've added and verified in advance — any other unfamiliar address simply can't receive a withdrawal.

It guards against the worst case: if your account gets controlled, and the attacker wants to move coins to an address of theirs, that address isn't on your whitelist, so the transfer gets blocked. It's like saying "even if a thief gets into the house, the door only lets things be carried to the few places you named."

  • Add the addresses of wallets you actually own. Your own wallet, say, or another account you've confirmed is safe.
  • Turn on "only allow withdrawals to whitelisted addresses." The whitelist only works as a lock once that switch is on.
  • Adding a new address usually has a cooling-off period or extra verification. That's a good thing — it gives you time to react, so don't begrudge the friction.
Always check the address before withdrawing The whitelist handles "where it can go," but the moment you add an address you must make sure the address itself is correct. After pasting, verify the first and last few characters digit by digit, and send a small amount first before a large one. For the full withdrawal flow and the points on choosing a chain, see how to move coins from Binance to your own wallet.

5. Devices, authorizations, and API management

Beyond the three main lines above, a few spots are worth checking periodically:

  • Device and login management. Your security settings show which devices have logged into your account. See a device you don't recognize, and immediately "remove / sign out that device" and change your password.
  • Authorized third-party apps. If you've authorized any third-party tool to access your account, check periodically and revoke anything you no longer use or that looks suspect.
  • Be especially careful with API keys. An API is the key for programmatic trading, and it carries broad permissions. Beginners basically have no use for it — if you don't need it, don't create it. If you really must, turn off the "withdraw" permission and bind an IP whitelist; a leaked key is the same as handing over your account.
API is the high-risk zone A lot of accounts get drained not through a leaked password but because someone was tricked into creating an API key with withdrawal permission, or handed an existing API key to a so-called "signal mentor" or "quant bot." Remember: anyone telling you to create an API, especially asking you to enable withdrawal permission, should be treated as a scammer by default.

6. A few habits that matter more than any setting

Switches are static; habits are what keep you safe. No amount of settings can stop you from opening the door yourself:

  • Only log in through the official entry you saved yourself. Go in from a browser bookmark or the official app — don't click links in emails, texts, or ads.
  • Use a unique, strong password. Don't reuse your exchange password on other sites — that's what guards against credential stuffing: a leak elsewhere taking this account down with it.
  • Codes, passwords, seed phrases — never tell anyone. No legitimate process will ever ask you to read these out to support or anyone else. This one is the bottom line; commit it to memory.
  • For large, long-term holdings, consider self-custody. Keep only what you'll use soon on the exchange; with a self-custody wallet only you hold the private key. For the why and the how, see the piece on whether an exchange might collapse.
About this order The three settings and few habits above were checked item by item against Binance's official security page, to make sure nothing's missing or wrong. When you actually do it, order matters more than the list: turn on authenticator 2FA first, then set the anti-phishing code and the withdrawal whitelist, and finally clear out login devices and third-party authorizations. The one step most people skip without thinking is that backup key for the authenticator — copy it somewhere offline before you continue, or it's easy to lock yourself out when you change phones. The whole thing takes very little time, and it's worth far more than agonizing over which coin to buy first.
About to open an account? Get the locks and the perk in one go
Enter our invite code BN0128 at sign-up for a discount on trading fees; once you're in, don't rush to buy — set up your 2FA, anti-phishing code, and whitelist first, following this piece. For the full sign-up flow, see the beginner's guide.

* The actual discount is whatever Binance shows on its own page; the perk comes from registering through our invite code. The security settings are something you do yourself inside your Binance account.

Sign up with our code

7. An account-security checklist

Tick off the items below one by one. If you can do all of them, you've already shut out the vast majority of attacks aimed at beginners:

  • An authenticator app is set as your primary 2FA, with SMS only as backup;
  • The authenticator's backup key is copied offline and stored safely;
  • An anti-phishing code is set, and you check it on every email;
  • The withdrawal address whitelist is on, allowing only whitelisted addresses;
  • Your account password is unique and strong, not reused on other sites;
  • You periodically check login devices and third-party authorizations and clear out anything suspect;
  • You don't create an API without need; if you do, withdrawal permission is off and an IP is bound;
  • You keep in mind: codes, passwords, seed phrases — never to anyone.

None of these needs a technical background; the only hard part is whether you're willing to spend fifteen minutes. Plenty of people know all this and just can't be bothered, until something happens and they regret it. Open your account's security page now and work through this list — it's the highest return-on-effort fifteen minutes in your whole investing journey.

Remember this: security is your floor, and it comes before picking a coin. Use an authenticator app for 2FA rather than SMS alone, set an anti-phishing code to see through fake emails, turn on a withdrawal whitelist to lock out unfamiliar addresses — and hold the line of "codes and seed phrases go to no one." Fifteen minutes to set up, a lifetime of use.
Lin Yue · Bitu editorial
Notes on using exchanges, written for beginners. Lin Yue is a pen name; we don't pretend to be anyone's expert — we just write down the steps and traps we've checked for ourselves, again and again. For anything involving money, go by the official pages and your own verification.

Read next