This post walks through the general safety features on FTX. It is not an exhaustive list.
Personal Account Security
1.1 Password Strength and 2FA Requirement
a) When registering an account at FTX we require a password that contains a combination of numbers, letters, special characters and no predictable patterns on every account. We do not allow for registration without the password being compliant.
b) We require a mandatory 2FA setup to transact in anyway on any created account. This will be a prompt and you can also find it at ftx.com/profile.
|Password Strength||Required 2FA|
1.2 2FA for Withdrawals & Withdrawal Passwords
We firmly believe in protecting all withdrawals. We start at a practical level by allowing users to activate a dual security layer: 2FA and separate password for all withdrawals. Find both of these settings at ftx.com/profile.
1.3 Withdrawal Lock After 2FA Removal or Password Change
After an account status change such as:
- 2FA Removal
- Password Change
We lock withdrawals on the account for 24 hours.
1.4 Tracking and Notifying Users of Suspicious Activity
When we see an unusual login attempt on an account, even if it is just the 'Username' and 'Password' without the 2FA we still notify the owner of the account so that they can take the necessary precautions.
Additional Security Features
2.1 Subaccount Login Functions
FTX now allows you to create custom logins! With them, you can allow other people to log into your account with configurable permissions.
Creating a login
Go to your Settings page, scroll down to the Account Security section, and click the 'Logins' tab.
You'll see a form that lets you create a login with permissions. Each login has a name and password, and you can specify the following permissions:
- Subaccount: You can restrict the login's access to only one subaccount, or let it access all accounts
- Read-Only: read-only logins can't take actions on the site (e.g. cannot trade, withdraw, transfer), but can view and download things like trade history.
- Can Withdraw: whether or not this login is allowed to withdraw on the blockchain, to OTC, or transfer between subaccounts.
The form above is filled out with information that would specify a login called "trading-only", that is allowed to take actions on the site (it isn't read-only) but cannot withdraw.
It also shows an existing login called "read-only-subby" that only allows read-only access to the subaccount named "subby".
Using a login
There are two ways to authenticate with a custom login. (Password requirements still hold)
1) You can go to the URL next to the login you want to use (can click the "Copy" button next to it), and the login form at that URL will be pre-populated with a code that corresponds to that login:
2) You can go directly to https://ftx.com/login and enter your account email (used for your main login), the custom login name (like "read-only-subby"), and your password.
When non-read-only logins are created, their 2FA is set to that of the main login. You may change their 2FA using the Login Settings section on the settings page when logged in to them. Read-only logins do not require 2FA.
Only the main login can change withdrawal password settings, change if withdrawals require 2FA, reset the main login password, and manage other logins.
Custom logins are compatible with FTX OTC. Only those with no subaccount restriction are allowed access to OTC. The other settings (read-only, withdrawal-enabled) also apply when using FTX OTC.
To use them for OTC, you need to first log in to FTX using the above methods and then can visit https://otc.ftx.com/.
Deleting a login
If you want to delete a permission login, you can click the trash can icon in the Login table on your settings page. Doing so will remove access for anyone currently logged in and using it.
2.2 Whitelisting IP's
When setting up your API Keys in ftx.com/profile we allow you to determine the security permissions.
- Withdrawals enabled
- Internal transfers enabled (between subaccounts)
- IP whitelist (API Key only usable from specified IP)
2.3 Whitelisting Wallet Addresses
A white listed address requires that all withdrawals go to predesignated whitelisted addresses.
You can whitelist addresses saved to your main account from the Saved Addresses page. Doing so requires 2FA and withdrawal passwords, if enabled. After submitting an address for whitelisting, you will be notified via email, and the address will be usable after a configurable delay. You can also elect to only allow FTX admins to whitelist addresses for your account (limited to clients in VIP1/MM1 or higher).
Disabling this setting or reducing the whitelisting delay requires contacting an FTX admin.
|Whitelisting Setting||Whitelisting Configuration|
3.1 Chainanalysis & Manual Review
FTX has recently engaged with Chainalysis to monitor suspicious cryptocurrency transaction alerts in the Chainalysis Know Your Transaction (KYT) product, the real-time anti-money laundering (AML) compliance solution for monitoring cryptocurrency transactions. This paired with a manual review of large or suspicious deposits and withdrawals assures an extra layer of protection.
3.2 Backstop Liquidity Fund
The FTX Backstop Liquidity Fund calculated with FTT's price on 5/24/2021 holds approximately $200mm USD.