OKX account security 5-pack
Set up in 15 minutes · never panic again
Can your OKX account survive a phishing attempt? Not until you've shipped the 5-piece kit: 2FA + anti-phishing code + withdrawal whitelist + API limits + PoR self-verification. The first four take about 15 minutes total and are mandatory. The fifth is a 5-minute check you run once a quarter. With all five in place, you've shut down the vast majority of attack paths that target crypto accounts. Eight common scam scripts at the end.
OK18866 and you get a 20% fee rebate*
① 2FA: use Google Authenticator, not SMS
2FA stands for two-factor authentication: the second proof — beyond your password — that it's actually you logging in. This is the single most important defense. Even if an attacker has your password, they can't get in without your second factor.
Three 2FA options compared
| Method | Security | Beginner friendliness | Recommendation |
|---|---|---|---|
| Hardware key (YubiKey) | ★★★★★ | ★★☆☆☆ | Large accounts and long-term holdings |
| Google Authenticator / Authy | ★★★★☆ | ★★★★★ | What everyone should use |
| SMS code | ★★☆☆☆ | ★★★★★ | Backup only, never primary |
SMS 2FA isn't strong enough on its own because of SIM swap attacks — an attacker socially engineers your carrier's support desk into porting your number to their SIM, then receives every SMS code. SIM swap has been responsible for multiple seven-figure crypto losses; the US FCC has formally warned consumers about it.
Install Google Authenticator
Time: 1 minuteOfficial apps on iOS and Android. Authy, Microsoft Authenticator, or 1Password's built-in OTP also work. Avoid knock-off "2FA" apps from unofficial app stores.
Enable 2FA on OKX
Time: 3 minutesOKX avatar → Security Center → Google Authenticator → "Enable". The screen shows a QR code plus a 32-character setup key string.
Open OKX Security CenterCritical: save the setup key (not just scan the QR)
Time: 1 minuteAlmost everyone scans the QR and skips the key. This is the biggest pitfall. If you lose your phone or wipe Authenticator's data, the key string is the only way to re-activate 2FA.
- Write the 32 characters on paper and photograph it into your encrypted photo vault;
- Or store it in your password manager — 1Password and Bitwarden both have OTP fields that accept the key directly.
Verify and activate
Time: 30 secondsScan the OKX QR with Authenticator → the app shows a 6-digit code → paste it back into OKX to finalize.
Keep SMS as a backup
Time: 1 minuteOKX lets you enable Authenticator and SMS at the same time. Make Authenticator the primary and SMS the backup. If you ever lose Authenticator, SMS gets you back in.
② Anti-phishing code: spot fake emails instantly
The anti-phishing code is a string only you know — e.g. BlueDesk2026. From the moment you set it, every legitimate OKX email includes this string in the footer.
How you use it:
- Got an "OKX" email? Glance at the footer for your code first;
- Missing the code → phishing, delete;
- Code present but wrong characters → more sophisticated phishing, delete immediately.
How to set it
- OKX avatar → Security Center → Anti-Phishing Code;
- Enter a 6-20 character string. Don't reuse another password, don't use your own name, don't use pure digits.
- The next OKX email will already include the new code.
Recommended pattern: color + object + year. For example OrangeDesk2026 or BlueLamp01. Easy to remember, impossible to guess.
③ Withdrawal whitelist: shut the door on "withdraw to a stranger"
The withdrawal whitelist limits withdrawals to addresses you've pre-approved. Even if an attacker has your account, password, and 2FA, they cannot send funds to their own address — only to addresses you've added (i.e. your own wallets).
How to set it
- OKX avatar → Security Center → Address Management;
- Add the addresses you regularly withdraw to (e.g. your Ledger / Trezor self-custody addresses);
- Turn on "Only allow withdrawals to whitelisted addresses".
Key details
- Adding an address requires 2FA — this is the intentional cooling-off step that prevents an attacker from instantly adding their own address;
- Newly added addresses have a 24-48 hour activation delay depending on the network, before they can be used for a withdrawal;
- Double-check the address before saving it — wrong network or wrong address still loses funds.
Pound-for-pound this is the highest-leverage setting on OKX. With the whitelist in place, "account compromise" attacks essentially fail — the attacker cannot withdraw your funds. Don't skip this one, even if it feels tedious.
④ API permission limits: never give more than "Read"
If you don't use third-party trading tools or bots, skip this section — your account has no API keys, attack surface is zero.
If you do use third-party tools (Cointracker for tax accounting, TradingView for charts, a market-making bot), this matters:
Three API permission levels
| Permission | What it allows | Where it's appropriate |
|---|---|---|
| Read | Read balances and history | Tax / accounting tools (Cointracker, Koinly) → safe |
| Trade | Place and cancel orders | Trading bots → use with caution |
| Withdraw | Withdraw to any address | Never give to third-party tools |
Recommended setup
- Create a separate API key for each third-party tool, never reuse;
- Grant only the minimum permission needed — accounting tools get Read only, never Trade or Withdraw;
- Enable IP whitelisting so only the tool's server IP can use your key;
- Set an API expiration (e.g. 90-day auto-expire) and regenerate on rotation;
- When you stop using a tool, delete the corresponding key immediately.
In 2022 a third-party portfolio tracker was breached. Users who had granted the tool an OKX API key with Trade permission saw the attacker place a series of self-adversarial orders that drained their positions. Trade permission for a third-party tool is high risk — most use cases simply don't need it.
⑤ PoR self-verification: run it once a quarter
PoR stands for Proof of Reserves — OKX publishes a monthly Merkle tree of all user balances to prove the exchange controls on-chain assets that cover its liabilities. This became the industry baseline after FTX collapsed in 2022.
But "the snapshot exists" is not the same as "you're in it." If the exchange under-reported your balance, the snapshot math would still check out. That's why every user should run the inclusion check on their own balance at least occasionally.
How to verify
Download your Merkle path
Time: 1 minuteOKX avatar → "Proof of Reserves" → select the latest snapshot → download your individual Merkle proof JSON file.
Verify OKX could actually pay your balance backRun OKX's open-source verifier locally
Time: 3 minutesOKX provides an open-source verifier on the PoR page (you can also use independent third-party verifiers — running both gives you stronger assurance). Feed the JSON into the verifier and it outputs either "verified" or "failed."
A failure means your balance isn't included in the snapshot — file a support ticket immediately and stop depositing more.
Repeat every 1-3 months
Time: 5 min per runNo need to do it monthly — a multi-snapshot streak of "verified" results carries more weight than a single check. Quarterly is enough; note the date in your own log.
8 common scam scripts
Recognizing these scripts matters more than any technical setting — most losses happen when the account wasn't compromised but the user was tricked.
⚑ "OKX support" DMing you on Telegram / WhatsApp
OKX support never reaches out first via DM. All real support runs through the in-app or website support channel. Anyone claiming to be "OKX support" on Telegram, WhatsApp, or Discord is a scammer.
⚑ "Your account has unusual activity — please verify"
The classic phishing email. Check the anti-phishing code: missing or wrong → 100% phishing.
⚑ "Claim 50 USDT — add support on Telegram"
OKX does run real airdrops occasionally, but never asks you to DM anyone to claim them. Real promotions live inside the OKX app's promotions page.
⚑ "High-rebate program — scan this QR to log in"
Classic phishing site. OKX login only works through www.okx.com. Never scan an "OKX login QR" sent by a stranger — it's likely the attacker's machine showing you the real login page, and scanning it hands them your session.
⚑ "I can help unfreeze your account — just send me your password"
OKX support will never ask for your password, period. Anyone asking is a scammer.
⚑ "Trading signals group — guaranteed wins"
Dozens of group members posting profit screenshots — most are sock puppets. The "instructor" eventually pushes a fake "OKX Pro" app that's actually a phishing app, and the deposit you make disappears.
⚑ "Download OKX Beta for lower fees"
OKX has no "beta" build. All apps come from the App Store, Google Play, or okx.com only. Any sideloaded "OKX beta APK" is malware.
⚑ "Reset your password" emails with plausible-looking links
Hover over the link (don't click) and check the actual destination. The only real OKX domain is okx.com — anything like okx-secure.com / okx-vip.io / 0kx.com is phishing.
Final self-audit checklist
Run through this list. Only when every box is checked is your account "baseline secure":
- ☐ Password ≥ 16 characters, generated by a password manager, not reused on other sites
- ☐ Google Authenticator 2FA enabled, setup key backed up offline
- ☐ SMS 2FA configured as a backup
- ☐ Anti-phishing code set (not your name, not another password)
- ☐ Withdrawal whitelist enabled with at least one self-custody address added
- ☐ No third-party tools — or, if you use them, API keys are Read-only with IP whitelisting
- ☐
okx.combookmarked; never reach OKX via a Google search result - ☐ You know OKX support only appears inside the app / website and never DMs you
- ☐ Long-term holdings moved off the exchange into a Ledger / Trezor
- ☐ PoR self-verification run at least once every 1-3 months
FAQ
Is SMS 2FA safe?
Not enough on its own. SIM swap attacks let an attacker take over your phone number and bypass any SMS-based verification. Use Google Authenticator or a hardware key like a YubiKey for primary 2FA, and keep SMS only as a backup.
What is an anti-phishing code?
A string only you know — e.g. BlueDesk2026. From the moment you set it, every legitimate OKX email includes this string in the footer. Any "OKX" email without the string, or with the wrong string, is phishing.
What is PoR self-verification?
OKX publishes a monthly Merkle tree of all user balances. You can download your specific Merkle path from the PoR page and use the open-source verifier locally to confirm your balance is included in the month's liabilities snapshot. The check takes about 5 minutes; doing it once every few months is plenty.
Should I keep funds on OKX or self-custody?
Rule of thumb: keep the size you actively trade on OKX; move long-term holdings to a self-custody hardware wallet like Ledger or Trezor. Every exchange — OKX included — carries a small but non-zero operational risk. Self-custody eliminates that, but transfers the "lose your keys, lose your funds" risk to you.
How often should I change my password?
You don't need a routine rotation. Password manager + strong password + 2FA already makes brute-force essentially impossible. Change the password if you suspect it has leaked, or if OKX emails you about an "unusual login."
15 minutes to ship the whole kit
Each piece is straightforward. Together they shut down most attacks on the account. Do it today.
Open OKX Security CenterThis page contains OKX affiliate links · no extra cost to you