risk-mgmt

First-day security setup: 15-minute hardening

Lock down your account before you fund it — TOTP, scoped API keys, session hygiene

15 min · beginner

What you'll have when finished

  • TOTP 2FA enabled with backup codes safely stored
  • API keys scoped to least privilege (no withdraw scope unless required)
  • API keys set to auto-expire in 90 days
  • Old sessions revoked — only your current device retains access
  • Login-history baseline reviewed so you can spot anomalies later

Before you start

  • Backup codes are the ONLY way to recover access if you lose your TOTP device. Store them offline (password manager or paper) — not in cloud notes or screenshots.
  • API keys with withdraw scope can drain funds. Only enable withdraw scope if you have a specific automated payout flow that requires it.
  • Revoking "all other sessions" will sign you out everywhere except this device. Make sure you can re-login on your other devices before doing it.

Walkthrough

  1. Enable TOTP 2FA

    Go to Settings → Security & Password. Click Enable 2FA, scan the QR code with Google Authenticator / Authy / 1Password, and enter the 6-digit code to confirm.

    Success criteria: TOTP shows "Enabled" in green · Test code accepted on confirmation step · 8 one-time backup codes downloaded

  2. Store backup codes offline

    Save the 8 backup codes in your password manager (1Password, Bitwarden) under a "haythix 2FA backup" entry. Each code works exactly once. If you also want a paper copy, write them on an index card and store it where you keep important documents.

    Success criteria: Codes saved somewhere you can find without internet · Codes are NOT in browser autofill, cloud notes, screenshots, or email

  3. Create API keys with least privilege

    If you plan to run bots, go to Settings → API Keys. Create a key per use case (e.g., "tradingview-webhook", "personal-script"). Grant only the scopes you actually need — read for monitoring, trade for execution. Leave withdraw OFF unless you have a specific reason. Set expiry to 90 days.

    Success criteria: One key per use case, named descriptively · Withdraw scope OFF (unless required for a specific automated payout) · Expiry set to 90 days (you will rotate at expiry) · Secret copied to your bot/script immediately — it cannot be retrieved later

  4. Revoke other sessions

    Go to Settings → Active Sessions. Review every entry. Revoke any sessions you do not recognize. If everything looks like old devices you no longer use, click "Revoke all other sessions" — leaves your current browser/device active.

    Success criteria: Only sessions you actively use remain · Any unfamiliar IP or location revoked immediately

  5. Baseline your login history

    Go to Settings → Login History. Filter by "Last 30 days". Note the cities, countries, and IP prefixes you normally see — this is your baseline. If anything outside that baseline shows up later, treat it as a potential compromise and rotate your password + revoke sessions immediately.

    Success criteria: You can describe your normal login pattern in one sentence · Export current history to CSV as a permanent reference

What's next

Put a recurring calendar reminder for 90 days from today: "Rotate haythix API keys + review login history". Security is not a one-time setup — it is a habit. The 15 minutes you just spent are worth more than every fancy strategy on the platform if your account stays uncompromised.