Why do security settings on the same day you sign up on OKX?

The moment there's money in your account, it becomes a target for theft. Setting up 2FA and an anti-phishing code takes five minutes before anything goes wrong and costs almost nothing; scrambling after you've been hacked is too late. Do them before you deposit.

What happens if I lose my Google Authenticator backup key?

If you only installed the authenticator on your phone and never saved the backup key, then if your phone is lost, broken, or wiped, the rotating codes are gone, and unbinding means going through an identity verification process — which is a hassle. When you bind it, copy down the backup key / QR code and store it elsewhere; don't keep it only on the same phone.

What does an anti-phishing code do?

The anti-phishing code is a string you set yourself; once it's set, every official email OKX sends you will carry it. Get an email that doesn't carry your code, and you can be fairly sure it's a phishing email. It lets you tell real official notices from fakes at a glance.

Do This Right After Signing Up on OKX: 2FA + Anti-Phishing Code (5 min)

Right after you sign up, before any money's in there, security settings are the easiest step to skip — you're thinking "let me just buy some crypto first." But flip it around: the moment there's money in your account, it becomes a target in someone else's eyes. Patch it up after something actually goes wrong, and it's often already too late.

The good news: setting up the two most important defenses on OKX (formerly OKEx — same company) takes about five minutes start to finish — 2FA with Google Authenticator and an anti-phishing code. This guide walks you through both, then has you add a funds password and withdrawal whitelist, and finally teaches you to spot phishing emails at a glance. While the account's still "clean," do it now.

✅ What this guide does for you Gets Google Authenticator bound in five minutes (with the reminder not to store the backup key only on your phone), sets an anti-phishing code, adds two more locks on withdrawals, and teaches you to tell real official emails from fakes.

01Why do it the day you sign up

With only a login password, your account has just one door. Passwords leak for all kinds of reasons: you reused the same one elsewhere, your computer caught malware, a phishing site tricked you into typing it. Once it leaks, someone can log straight in and withdraw your crypto.

2FA (two-factor authentication) adds a second door: even if someone gets your password, without the rotating code on your phone that changes every 30 seconds, they can't log in or withdraw. The anti-phishing code solves a different scam — phishing emails dressed up as official ones. Both are set once, useful for the long haul. While the account has no money in it and your head's still clear, now's the time.

02Turn on 2FA (Google Authenticator)

Google Authenticator is a free app you install on your phone; it keeps generating a 6-digit rotating code. Once bound, logging in and withdrawing requires this code on top of your password. Here's the flow:

Download Google Authenticator

On iPhone, search the App Store; on Android, your app store — search "Google Authenticator" and install it. Other compatible authenticator apps work too, but Google Authenticator is the most universal.

Find "Google Authenticator" inside OKX

Open the OKX app → go to "Security Settings" / "Security Center" → find "Google Authenticator / two-factor verification" → tap to enable. The page shows a QR code and a string of letters and numbers (the key).

Scan to bind with the authenticator

Open Google Authenticator → tap the plus → scan the QR code on the OKX page. An "OKX" entry appears in the authenticator, refreshing a 6-digit code every 30 seconds.

⚠️ Copy down the backup key before you go on

That string of letters and numbers (or the QR code) shown before binding must be written on paper or saved somewhere else safe. It's the only way to restore the authenticator if your phone is lost. Storing it only on the same phone = no backup at all.

Enter the code to finish binding

Type the 6-digit code the authenticator currently shows back into the OKX page and confirm. From then on, every login and withdrawal asks for this code. Bound.

⚠️ Migrate or unbind before changing phones If you switch phones later, remember to migrate the authenticator over on the old phone first, or unbind it in OKX and re-bind on the new phone. Wiping the old phone without a backup key gets messy.

03Set an anti-phishing code: leaving fake emails nowhere to hide

The anti-phishing code is a thoughtful OKX feature. You set a string that's easy to remember (a word plus a few digits, say), and once it's set, every official email OKX sends you carries that string you chose, in the subject or body.

So: get an "OKX" email carrying your code → it's probably real; one that doesn't carry your code → you can be almost certain it's phishing, just delete it. Scammers don't know what code you set, so they can't fake it.

Where to set it: OKX app → "Security Settings" → find "Anti-Phishing Code" → enter the string you want → save. After that, keep an eye out: do the official emails you receive all carry it?

Not registered? Do these first thing after you sign up Remember to enter invite code OK2707 at the bottom when you sign up; the moment your account's live, come back and set up these two defenses.

04Two more locks: funds password + withdrawal whitelist

With 2FA and the anti-phishing code done, your account is already much safer. If you want extra peace of mind, add these two — they mainly lock down withdrawals:

Funds password: a separate password from your login one, required as an extra input for sensitive actions like withdrawing. It's one more independent door.
Withdrawal address whitelist: once on, you can only withdraw to addresses you've added and verified in advance. Even if your account is hacked, the attacker can't withdraw to their own unknown address. Hugely worth it for long-term holders.

💡 Suggested order If you're short on time, do the must-dos first — 2FA + anti-phishing code; add the funds password and whitelist when you have a moment. Before you deposit or release coins, at the very least 2FA must be on.

05Spotting phishing at a glance: burn these in

No matter how good your settings are, one careless tap on a phishing link undoes it. Drill these into your head:

Trust only okx.com. That's OKX's one official domain. Any okx-xxx.com, okx.something, shortened link, or weird-suffix address — don't go in. Every "sign up" button on this site goes to the official domain.
Don't tap unfamiliar short links. "Account anomaly, click to handle" or "claim your airdrop" sent via text, email, or group chat — especially shortened links — are overwhelmingly phishing.
Official support never DMs you asking for codes / passwords / seed phrases. Anyone claiming to be support and asking you to read out a verification code or transfer money to "verify" is a scammer.
Check official emails for the anti-phishing code. Only trust ones carrying the code you set — that's exactly what the last step is for.

📋 Editor's hands-on test · 2026-06-02
We tested turning on 2FA: from opening the authenticator and scanning to entering the 6-digit code and finishing the bind, we clocked about 2 minutes — genuinely painless. We also compared two emails: after setting the anti-phishing code, an official login alert we received had our self-set code in the subject; whereas an earlier fake "account frozen" email had not only a strange-suffix domain but no anti-phishing code anywhere in the body. Side by side, the fake gave itself away instantly. We strongly recommend not skipping the anti-phishing step.

06FAQ

Google Authenticator or SMS codes — which is safer?

Google Authenticator is safer. SMS can be SIM-swapped or intercepted, while the authenticator's rotating code lives locally on your phone and never travels over the network. If you can, use the authenticator as your primary 2FA.

The authenticator code keeps showing as "invalid" — what do I do?

It's usually your phone's clock being off, so the rotating code doesn't line up with the server. Set your phone time to "automatic," or sync the time once in the authenticator's settings.

I lost my phone — how do I recover the OKX bind in my authenticator?

If you saved the backup key from when you bound it, just re-add it in the authenticator on your new phone. If you didn't, you'll have to go through OKX's identity verification / unbinding process, which typically requires account info and security checks — more of a hassle. This is exactly why you copy down the backup key when binding.

Can I change the anti-phishing code?

Yes — change it anytime in Security Settings. If you suspect someone may have seen your code, just set a new one.

Aboard EditorialAn independent third-party guide for beginners signing up at crypto exchanges. We don't make investment decisions for you — we just smooth the path to getting your account open.

No account yet? Sign up, then come back and lock it down

Don't forget to enter invite code OK2707 at the bottom when you sign up; the moment your account's live, do 2FA and the anti-phishing code before you deposit.

Invite code OK2707 · Signing up through our link costs you nothing extra · Crypto prices are volatile and investing carries risk — use money you can afford to lose and make your own call. See our disclaimer.

Affiliate disclosure: Aboard is an independent third-party information site with no affiliation to OKX. This article contains promotional links; if you sign up through them and enter the invite code, we may earn a promotional service fee from the platform. That fee is paid by the platform, adds nothing to your cost, and doesn't affect our objectivity. The exact location and naming of security settings are per your OKX app's version at the time.