Setting up Two-Factor Authentication for Using Exchanges Anonymously

Introduction

At forkdrop.io we track, to our knowledge, which exchanges require providing your identity for KYC compliance. However, a subset of these exchanges require Google Authenticator 2FA and/or SMS-based 2FA. This requires tying the account to a mobile phone and/or Google account which can leak your identity.

We don't advocate violating the laws of your local jurisdiction. However in many jurisdictions, it is not a requirement to give up your identity in obtaining an Android-based mobile phone or a SIM card to connect to the mobile provider's network. Also, low-end Android phones are relatively cheap, so getting such a device and inexpensive mobile connection may not cost too much. This guide will give you some pointers on how to go about setting this up.

These steps may not be applicable in your jurisdiction, but hopefully it can still be used as template and you can adapt it as you need. If you have any additional comments or insights that are applicable to your juristiction that you wish to share, you can email us at forkdrop@protonmail.com, PGP fingerprint: 6FCD1897

This assumes you have or are also getting a non-identity requiring email such as a Protonmail email account (this is the best option we know of right now).

Goal

The goal of this process is to get you:

1) an Android phone
2) a Protonmail account
3) a Google account

You will get all three without providing and ID. This will allow you to register for accounts and use Google Authenticator.

Chicken-and-egg Problem (and Solution!)

We need to bootstrap a brand new (non-)identity. However, signing up to these type of services usually require reference to an existing account, which we don't have yet. To make a Protonmail account you need the ability to receive a SMS message on a phone or an existing email addresses. To get a phone activated, you likely need an email to register the account. To get a Gmail address, you need a Google account, which requires another email or ability to receive a SMS message. This is tricky. You could borrow one of these from someone else, but then your cryptocurrency activity can be potentially traced back to them and they will probably remember who they loaned their stuff to.

There might be other ways to navigate this conudrum however it is suggested that easiest way past this is to focus on getting the phone activated without an email address. Once you have that, you can sign up for a Protonmail email account. Once you have that, you can create a Google login and get a Gmail address and Google app store account.

Buying a Phone

You will need to research what your local options are for getting pay-as-you go phones. For example, leading chains of convenience stores and gas stations that operate in most countries sell low-end phones, SIM cards and pay-as-you go credits. There will likely be several options in your area. It is also helpful to research what the activation process is for these SIM cards. This will help prevent you from buying something that you can't activate without giving ID.

You will need a smartphone to run Google Authenticator, but a low-end one should be fine. For flexibility changing providers going forward do make sure to get an unlocked phone that is not exclusively tied to a particular mobile provider. Another (unrelated-to-using-exchanges) feature to consider when deciding on the phone is using this phone to use applications such as WhatsApp and Telegram to communicate anonymously. For that, a phone with mid-range build quality and system specs might be worthwhile considering. Also, getting a removable battery to help ensure it is fully powered off when you want that is a good security feature.

It is important to pay for the phone with cash. Otherwise, it is possible to trace the device back to your banking payment details. Also, buy the SIM card and pay-as-you-go credits with cash. If you are unable to do so at the particular store, this might hint you about the interest this phone vendor and carrier has in tracking your identity. Do get a receipt such that you have the option of returning the device in the case you have trouble activating it

Activating the Phone

For activating the SIM, card it may be possible to do so by calling a listed activation number toll-free according to the instructions. Just getting it activated may allow you to receive SMS messages for creating a Protonmail account. If the pay-as-you-go plan advertises free incoming SMS, this is likely the case. You should not use a phone line that is tied to your identity to place the call to perform the activation. It is best to use a borrowed phone in a public place to activate the number. It is suggested that you visit a place like library or an unemployment center where it would not be unusual to ask to borrow a landline phone for a few minutes. Holding a disassembled cell phone and box of accessories and telling the truth about wanting to activate it may help to get permission to get access if it is required.

In order to activate, you may have to provide a mailing address - so have a valid one ready ahead of time. If you are asked for an email, it might be good to have a Dropmail address ready ahead of time or have a excuse as to why you don't have access to one. "I've just gotten out of a stay in an institution" is one excuse, "I've lost everything due to a misfortune" is another. This is plausible given that you are in the process of activating a phone.

If you must create an online account before activating, this is possible too, but a little more tricky. You can us a service like Dropmail to create a temporary email to sign up to the carrier with. However, you must plan ahead to be able to leave the browser connected and open for the duration of the process until you are able to set up a Protonmail account and transfer the mobile provider's listed email address over.

When creating and using the mobile carrier's login account, don't do so from an IP address of an internet connection that is billed to you. Using Tor Browser, a VPN or public WiFi access point is advisable.

Getting a Protonmail Account

Once you have the ability to receive SMS messages, the next thing you should do is register a Protomail email account (or equivalent non-identity-gathering email account). There are pros and cons to using an email username that sounds like a real name instead of something ambiguous. For example, if you are using john.smith@protonmail.com, and get your crypto trading exchange account frozen and asked to provide KYC and your real identity is not John Smith - that might raise further suspicion should you choose to de-anonymize yourself in order to try to recover the value associated with the account.

Getting a Gmail Account

In order to install Google Authenticator on your Android phone, you will need a Google login. It can be associated with your phone number and Protonmail account when you register. It is suggested that you do not use this Gmail email address when registering for cryptocurrency trading accounts. This will allow you to create additional protonmail accounts for that purpose if necessary, leaving the Gmail account to remain associated with the physical device and only used for the purposes of using and installing apps on that physical device.

Using The Device

Getting mobile data access on a pay-as-you-go basis is usually expensive. It may be tempting to connect this phone to WiFi in order to avoid excessive data charges. If you do so, this phone may be correlated with your local IP address. One way around this is to use a WiFi access point that routes through a VPN for upstream traffic.

Also, note that the phone's GPS location can be monitored by Google and the mobile carrier. There are no great ways around this. However, you can disable location services on the phone to minimized this vector of information leakage. You can also power off the device and remove the battery when it is not in use if the phone allows this.