We would like to emphasize the importance of account security and ask our traders to take these procedures very seriously. As exchange security has significantly increased in the past few years, more hacking attacks are aimed at security breaches at the account level. By implementing these few simple measures, you already have done most of the job to keep your assets safe!
Enabling Two-Factor Authentication (2FA) is a crucial step in securing your account against unauthorized access. By requiring both your password and a second verification method, such as a code from an authentication app, 2FA significantly reduces the risk of account compromise. We strongly recommend activating 2FA to enhance your account’s protection.
It is crucial to use a unique password. If the same password is used for multiple platforms, only one of them must be hacked to easily gain access to other ones as well. The same applies to email addresses. Moreover, it is advised to use an email address that contains the least amount of personal information, so hackers have more difficulties guessing possible variations for other platforms.
IP white-listing allows traders to configure the API keys settings so that they are available only for dedicated IP addresses. This provides an additional layer of safety, as the access is limited to a trusted selection of IP addresses.
Users can declare IP whitelisting when Creating new API key on Deribit or head into the API section and select “Change IP whitelist” for a given key. To add or link a new IP, please go to the API page in your account.
Traders can set an activation time for newly added withdrawal addresses. This time period serves as a security buffer in case the account is compromised. The period can be set from a minimum of 0 to a maximum of 60 days. Transfers to the new address will become available only after this period of time has passed. If you decide to reduce the time period, the new settings will come into effect only after the previous amount of time has passed.
Important
Setting the new address activation delay to '0 Days' does not mean withdrawals will be instant. Using a delay of zero is less secure, and so withdrawals may be subject to extra manual checks before they are sent.
We recommend setting a delay of 3 days or more, and adding at least one safe address ahead of time to avoid any unwanted delays. Users are free to add more than one address.
You can set Secondary email confirmation for withdrawals. Once set, all new withdrawal requests to any address will require this secondary email approval. The secondary email for approval cannot be the same as the main account's email or its aliases.
Please consider using Asymmetric API keys. Asymmetric API keys use a pair of cryptographically linked keys: a private key for signature generation and a public key for signature verification. The private-public key pair is generated by the user, while Deribit only requires the public key for signature verification, ensuring the private key remains local and secure. Deribit supports Ed25519 or RSA key pairs.
This approach enhances security by ensuring only the private key holder can create signatures, while external systems can verify them. Additionally, a password can be added to the private key for further protection.
These security measures can be easily configured by toggling them on/off in the account settings.
-
IP Pinning – if the client’s IP address changes during an already established session, it is automatically terminated.
Caution
This setting only applies on new session. After enabling this setting it is recommended to re-authenticate the session (log out + log in).
-
Safe Session Duration – The time a session remains active in case of no activity. Safe session duration is 1 hour, otherwise 1 week.
Please be aware of any suspicious activity in which you are asked to provide any sensitive account information, change account settings, or transfer assets as payment for support. Deribit team will never reach out to you in such a way, therefore be careful and attentive to protect yourself from being tricked.
If you receive a message from Deribit support or community managers, please check if the particular account is listed in a pinned message of the support chat, or the particular email address has been listed on our support page. If you have received Deribit emails or messages from any other address or account, please delete them immediately and do not click on any links in these messages, as they cannot be trusted.
Tip
See our LinkedIn publication to learn more on social engineering tactics used by hackers and scammers.
Only provide information to genuine Deribit Telegram Community Managers and when in doubt, contact support@deribit.com immediately.
-
Verify that your connection is secure (https) while visiting Deribit
-
Use a strong password and change it regularly
-
Consider using a password manager
-
Verify if your email address has been leaked in data breaches of other services. If it has, change it.
-
Set new withdrawal address timer to 14 days or more causing new addresses only to become effective >14 days. You can also add safe addresses, that can be used quickly in future.
-
Set API keys wallet scope to read only preventing the API key to be able to initiate withdrawals
-
Don't add deribit to an email specifically for your deribit account as in deribitaccount1@gmail.com
-
Never add 2FA app on your computer, make sure to use another device
-
Avoid SMS 2FA authentication when possible (Remove your phone number from your google account to prevent sim swapping)
-
Reach out to Deribit Support if you receive a login email confirmation that has not been initiated by you.
Lock your account by using the emergency lock link provided in any authentication email.