We greatly appreciate you being a Xapo customer! As you know, our main focus is always on the security of your account. That being said, we no longer consider SMS to be a sufficient method to secure your account. Xapo will be phasing out the use of SMS for second factor authentication (“2FA”) and will now recommend the use of Google Authenticator for 2FA.

Our records indicate that you do not have Google Authenticator installed. We encourage you to install it as soon as possible, as we will disable SMS for second factor authentication for your account on January 15th, 2017. To configure Google Authenticator on your Xapo account you can follow the instructions:

How do I enable second factor authentication?

Since SMS have been found to not be a sufficient method to ensure the security of your account, we recommend our users to enable a second factor authentication (2FA) app that can replace the need for SMS. First, begin by logging into your account at and clicking on the circular avatar in the upper right hand corner to enter into your “Security Settings”.

To enable Google Authenticator or Authy, download and open the application on your iPhone, Android, or Blackberry device, and tap the “+” to add a new second factor code generator. Click “Enable Google Authenticator” from your security settings, and a QR code that can be scanned by the Google Authenticator or Authy app will generate. If you already have the Xapo app, you’ll need to “Unlink Xapo Mobile App” to then see the option to “Enable Google Authenticator”. You’ll be able to login and use the Xapo app again after setting up Google Authenticator or Authy, even after unlinking it!

Scroll down the page until you see the option to “require second-factor for login”. There will be a box next to this option. Click the box and then click “Save Changes” at the bottom of the page.

You have now enabled second factor authentication. Now, whenever you login to your account you will be asked to enter the 6 digit code from your second factor authentication (2FA) app!

Please note that this does not eliminate all SMS notifications from Xapo, just the use of SMS to receive 2FA codes.

If you do not configure Google Authenticator before the use of SMS is disabled on January 15, 2017, you run the risk of not being able to access your account the next time you login nor confirm payments or Vault extractions. If you have any problems accessing your account, please CONTACT THE SUPPORT OF XAPO.

For more context on the weaknesses of SMS for 2FA, we found this article by Laura Shin of Forbes to be helpful.

Lastly, as ever, we strongly encourage you to keep the maximum amount of bitcoin possible in your Xapo Vault. Your Xapo Wallet should hold only bitcoin required for near-term liquidity.

Leave a Reply

Your email address will not be published. Required fields are marked *