Help CenterGetting Started
Getting Started5 min read

Security Basics

Essential security practices every XamanProtocol user should follow to protect their account.

Why Account Security Matters

XamanProtocol holds your crypto assets on your behalf. If someone gains unauthorized access to your account, they could request withdrawals, change account settings, or compromise your funds. Strong security practices are your first and most important defence.

Use a Strong, Unique Password

Your password should be:

  • At least 12 characters long
  • A mix of uppercase, lowercase, numbers, and symbols
  • Not used on any other website or service
  • Not based on personal information (name, birthday, etc.)

Use a password manager (Bitwarden, 1Password, or similar) to generate and store a strong unique password.

Enable Two-Factor Authentication

2FA adds a second layer of protection beyond your password. Even if someone obtains your password, they cannot log in without your 2FA device. Enable it at Dashboard → Settings → Security. We strongly recommend using an authenticator app (Google Authenticator, Authy) rather than SMS-based 2FA.

Recognize Phishing Attempts

Phishing is when attackers impersonate XamanProtocol to steal your credentials. Always:

  • Check the URL is exactly xamanprotocol.com or your platform domain
  • Never click links in unsolicited emails claiming to be from XamanProtocol
  • XamanProtocol will NEVER ask for your password, 2FA code, or private keys via email or support chat
  • When in doubt, open the platform by typing the URL directly in your browser

Secure Your Email Account

Your email account is the recovery key for your XamanProtocol account. If someone accesses your email, they may be able to reset your password. Secure your email with a strong password and 2FA as well.

Frequently Asked Questions

Does XamanProtocol ever ask for my password?+
No. XamanProtocol support will never ask for your password, 2FA code, seed phrases, or private keys. Any request for these is a scam.
What should I do if I think my account has been compromised?+
Immediately change your password, revoke all active sessions in Settings → Security, and contact support via official channels. Do not delay.
Is SMS-based 2FA safe?+
SMS 2FA is better than no 2FA, but is vulnerable to SIM-swap attacks. We recommend using an authenticator app instead for stronger protection.
Can I see which devices have logged into my account?+
Active sessions are visible in Settings → Security. If you see an unrecognized session, revoke it immediately and change your password.

More in Getting Started

Didn't find what you were looking for?