Lock down a new OKX account in 15 minutes

Do this before your first deposit, not after. Four settings, roughly fifteen minutes, and the account is meaningfully harder to take over.
Why the order matters
An account with nothing in it is a low-value target. The moment you deposit, that changes — and the interval between "account exists" and "account is properly secured" is exactly when attackers have the most to gain and you have the least protection in place. None of the four steps below take long individually. Doing them in one sitting before your first deposit is the difference between a security routine and a security afterthought you never quite get around to, and it costs you nothing but fifteen minutes you were going to spend on the account anyway.
1. Two-factor authentication — authenticator app, not SMS
Install an authenticator app
Google Authenticator, Microsoft Authenticator, or a similar TOTP app. In OKX's Security settings, find the authenticator option and scan the QR code it shows to link your account.
Why this beats SMS
SMS codes can be intercepted through SIM-swap attacks, where someone convinces your carrier to move your number to their device. An authenticator app generates codes locally on your phone — nothing to intercept over the network. Once it's active, OKX requires a code from it for withdrawals and for changes to your security settings, not just for logging in.
Save the backup codes somewhere offline
Write them down or store them in a password manager, not a screenshot on the same phone that has the authenticator app on it — if you lose that one device, a screenshot living next to the app it's meant to back up doesn't help you. These codes are how you get back in if the phone is lost, stolen, or replaced.
2. Anti-phishing code
Set your own code phrase
In Security settings, set an anti-phishing code — any short phrase you choose. Every genuine email OKX sends you afterward will include it.
Use it to spot fakes
Any email claiming to be from OKX that's missing your code, or shows the wrong one, isn't from OKX. This single check kills most phishing emails instantly, since a scammer copying OKX's template has no way to know your private code.
3. Withdrawal address whitelist
Turn on address whitelisting
This restricts withdrawals to addresses you've pre-approved. Any new address needs to clear a confirmation step before it can receive a withdrawal.
Why it matters even with 2FA on
If your account credentials and 2FA were somehow both compromised, a withdrawal whitelist is the layer that still stops funds from moving to an address you never approved. It's one of the few controls that protects you even after everything else fails.
4. Device and session management
Review logged-in devices periodically
OKX's security settings list devices and sessions with account access. Remove anything you don't recognize, and do a quick check after using a shared or public computer. This list is also useful after you get a new phone or reinstall the app — old sessions on a device you no longer use are worth clearing out rather than leaving active indefinitely.
Recognize phishing domains
Always reach OKX through okx.com typed directly or a bookmarked link — not a link from an email, a DM, or a search ad, which are common vectors for lookalike phishing domains. Lookalike domains often swap a single character or use a different top-level domain, which is easy to miss at a glance. When in doubt, check the URL carefully before entering anything, and never enter your password or a 2FA code on a page you reached by clicking a link rather than navigating there yourself.
A password manager makes all of this easier
None of the four steps above require a password manager, but having one removes most of the friction that causes people to skip security setup in the first place. A password manager generates and stores a unique password for the account, can hold your backup codes in an encrypted note, and often flags a lookalike domain automatically by refusing to autofill on the wrong URL. If you don't already use one, this is a reasonable point to start.