Key Takeaways
Using an RSA key pair when trading via the Binance API makes your requests significantly harder to forge compared to simpler HMAC-based signing.
Whitelisting IP addresses on your API keys means that any access attempt from an unrecognized IP is automatically blocked.
Setting up an anti-phishing code lets you instantly verify whether an email or SMS claiming to be from Binance is legitimate.
Enabling two-factor authentication (2FA) via an authenticator app or hardware security key protects your account even if your password is compromised.
Combining withdrawal address whitelisting with a strong, unique password and a reliable password manager adds further layers of protection.
Introduction
As digital assets have grown in value and adoption, they have also attracted more sophisticated security threats. Protecting a Binance account requires more than just a strong password. The platform provides a range of built-in security tools that, when used together, substantially reduce your exposure to unauthorized access, API exploits, and phishing attacks.
This article walks through five specific measures you can take to improve your Binance account security, from API authentication to email verification.
5 Security Measures to Keep Your Binance Account Safe
1. Use an RSA Key Pair for API Trading
If you use the Binance API to trade programmatically, choosing the right signing method is an important security decision. An RSA (Rivest-Shamir-Adleman) key pair consists of two mathematically linked keys: a public key and a private key. You register the public key with Binance, and your system uses the private key to sign each API request. Binance then verifies the signature using your public key. Because only the holder of the private key can produce a valid signature, this method is highly resistant to forgery. For a detailed walkthrough of how this works, see RSA Signatures Explained.
RSA is considered more secure for API signing than HMAC-based authentication, where the same secret key is used for both signing and verification. With RSA, your private key never needs to leave your system. For a broader overview of API key types and their security implications, see API keys and security types.
You can generate an RSA key pair and register it through the API management section of your Binance account settings.
2. Set Up IP Access Restrictions
Whitelisting IP addresses on your API keys restricts access so that only requests originating from approved IP addresses are accepted. Any API call from an IP address not on your whitelist is automatically blocked, regardless of whether the request is signed correctly.
This is a particularly valuable control for automated trading setups where your API key runs from a fixed server or a known set of machines. Even if your API key credentials were somehow exposed, an attacker operating from a different IP address wouldn't be able to use them.
You can configure IP access restrictions through the API management settings in your Binance account. It's worth applying IP whitelisting to all API keys you create, not just those with withdrawal permissions.
3. Set Up an Anti-Phishing Code
Phishing attacks targeting Binance users often involve fraudulent emails or SMS messages that closely mimic official communications, sometimes including your name and account details. The anti-phishing code is a feature that helps you distinguish real Binance messages from fakes. For background on how phishing attacks work in general, the Academy has a dedicated explainer.
Once enabled, every official email and SMS from Binance will include the unique code you set. If a message doesn't contain your code, or contains a different code, you can treat it as fraudulent regardless of how convincing it looks.
How to set it up
Log in to your Binance account and go to Security settings.
Select Anti-Phishing Code.
Create a unique code using a mix of letters and numbers. Avoid anything obvious like your name, birthdate, or simple sequences.
Confirm with your 2FA method.
The code appears immediately in all subsequent official communications from Binance. If you suspect your code has been exposed, you can update it at any time through the same settings page.
4. Enable Strong Two-Factor Authentication
Two-factor authentication adds a required second step beyond your password when logging in or approving sensitive actions. Even if an attacker obtains your password, they still need your second factor to proceed. Not all 2FA methods offer the same level of protection.
Authenticator app (recommended)
An authenticator app such as Google Authenticator or the Binance Authenticator generates time-based, one-time codes directly on your device without going through your mobile carrier. This makes them immune to SIM-swapping attacks, where scammers convince a carrier to transfer your phone number to a SIM they control, gaining access to your SMS codes. Authenticator apps are the recommended minimum standard for Binance accounts.
SMS-based 2FA
SMS codes are better than no 2FA, but they carry SIM-swap risk. If you're currently using SMS-based 2FA, switching to an authenticator app is a straightforward upgrade worth making.
Hardware security key (YubiKey)
A hardware security key such as a YubiKey is a physical device that must be present to authenticate a login. It plugs into your device via USB or connects via NFC. Because it can't be intercepted remotely, it's one of the most effective 2FA methods available. Even if an attacker has your username, password, and phone number, they still can't log in without physical access to the key. For more guidance on physical security devices, see Ten Tips for Using a Hardware Wallet Securely, which covers related principles for hardware-based protection.
5. Use Withdrawal Whitelisting and a Strong Password
Withdrawal address whitelisting
Withdrawal address whitelisting lets you specify which wallet addresses are permitted to receive funds from your Binance account. Any withdrawal request to an address not on your whitelist is automatically blocked. This means that even in a worst-case scenario where an attacker gains access to your account, they can't send your funds to an address they control if it isn't already whitelisted.
When you add a new address to your whitelist, Binance imposes a 24 to 48 hour waiting period before that address becomes active. This delay gives you time to catch and cancel an unauthorized change before any funds can be moved.
Password hygiene
Use a unique password: Your Binance password should not be used on any other service. Reusing passwords means a breach on one platform can compromise all others where you use the same credentials.
Make it complex: Combine uppercase and lowercase letters, numbers, and special characters. Aim for at least 12 characters.
Use a password manager: A reputable password manager generates and stores strong, unique passwords so you don't have to remember them. It also makes it easy to use a different password everywhere.
Don't share it: No legitimate Binance support representative will ever ask for your password. Treat any request for it as a red flag.
Change it when compromised: Current security guidance recommends changing your password when you have reason to believe it may have been exposed, rather than on a fixed schedule. Routine, predictable changes (such as monthly rotations) often lead to minor incremental modifications that offer little real security benefit.
FAQ
What is the difference between RSA and HMAC for Binance API keys?
Both RSA and HMAC are methods for signing API requests to prove they came from you. With HMAC, the same secret key is used to sign and verify — meaning you need to share it in a form that Binance can verify. With RSA, you keep the private key entirely to yourself and only share the public key with Binance. RSA is generally considered more secure because your signing key never has to leave your own systems.
Where can I find the IP whitelist setting in my Binance account?
IP whitelisting for API keys is found under API Management in your Binance account settings. You can add approved IP addresses when creating or editing an API key. Note that this applies per API key, so it's worth setting it on every key you use, not just high-permission ones.
Does the anti-phishing code appear in every message from Binance?
Once enabled, your anti-phishing code should appear in all official emails and SMS messages from Binance. If you receive a message that claims to be from Binance but doesn't include your code, or includes the wrong code, treat it as a phishing attempt and don't click any links or provide any information.
Is a YubiKey better than an authenticator app for Binance 2FA?
A hardware security key like a YubiKey is generally considered more secure than an authenticator app because it requires physical presence and can't be intercepted remotely. However, authenticator apps are a major improvement over SMS-based 2FA and are a practical, widely available option. The best choice depends on your threat model and how you access your account. Both are significantly better than SMS-based 2FA.
What happens if I try to withdraw to an address not on my whitelist?
The withdrawal will be automatically blocked. To send funds to a new address, you'll need to add it to your whitelist first, which triggers a 24 to 48 hour security delay before the address becomes active. This delay is intentional: it gives you time to review and cancel the change if it wasn't made by you.
Closing Thoughts
The five measures covered here, RSA API signing, IP access restrictions, the anti-phishing code, strong 2FA, and withdrawal whitelisting with a solid password practice, work best when used together. Each one closes a different attack vector: API credential theft, unauthorized remote access, phishing, account takeover, and unauthorized withdrawals. For a broader foundation of digital security habits, see General Security Principles.
As threats evolve, it's worth revisiting your security settings periodically to make sure everything is still configured as intended and that you haven't left any older, weaker settings in place.
Further Reading
Disclaimer: This content is presented to you on an "as is" basis for general information and or educational purposes only, without representation or warranty of any kind. It should not be construed as financial, legal or other professional advice, nor is it intended to recommend the purchase of any specific product or service. You should seek your own advice from appropriate professional advisors. Where the content is contributed by a third party contributor, please note that those views expressed belong to the third party contributor, and do not necessarily reflect those of Binance Academy. Digital asset prices can be volatile. The value of your investment may go down or up and you may not get back the amount invested. You are solely responsible for your investment decisions and Binance Academy is not liable for any losses you may incur. For more information, see our Terms of Use, Risk Warning and Binance Academy Terms.