# Withdrawal Protection {% hint style="info" %} Operator and jurisdiction: BASIS is operated by BASIS DIGITAL INFRASTRUCTURE LTD, a Seychelles IBC (LEI: [254900IX2F2KCWNSSS64](https://lei.bloomberg.com/leis/view/254900IX2F2KCWNSSS64)). {% endhint %} ## Overview Withdrawal Protection adds an email verification step to secure withdrawal-related actions on your BASIS account. When enabled, a 6-digit verification code sent to your registered email address is required to complete the following actions: * Enabling Withdrawal Protection * Disabling Withdrawal Protection * Confirming a withdrawal request The verification code is valid for 10 minutes. Protected actions are only completed after successful email verification. Withdrawal Protection is strongly recommended for every account with withdrawal privileges. {% hint style="warning" %} Withdrawal Protection materially improves resistance to unauthorized withdrawals, but its effectiveness depends on the security of the registered email account. If the mailbox is compromised, the protection boundary is weakened. {% endhint %} ## Feature Definition Withdrawal Protection applies a 6-digit email verification requirement to the following actions: | Protected Action | Control Applied | Outcome | | ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | | Enable Withdrawal Protection | A 6-digit verification code is sent to the registered email address | The feature is enabled only after successful code verification | | Disable Withdrawal Protection | A 6-digit verification code is sent to the registered email address | The feature remains enabled until successful code verification | | Initiation of a withdrawal request | A 6-digit verification code is sent to the registered email address at the very first step of the withdrawal flow, before any withdrawal details are confirmed | The withdrawal process can only proceed after successful code verification at the first step | **Key control behavior** * The protected action is not completed at the moment the user clicks the initial confirmation button * BASIS holds the action in a pending verification state until a valid code is entered * If verification fails, expires, or is abandoned, the protected action is not completed ## Activation Policy To enable Withdrawal Protection, BASIS follows the process below: 1. The user navigates to **Security Settings** within the BASIS account. 2. The user selects the option to enable **Withdrawal Protection**. 3. BASIS generates and sends a 6-digit verification code to the account's registered email address. 4. The current feature state remains unchanged while verification is pending. 5. The user retrieves the code from the registered email account and enters it into the BASIS verification interface. 6. BASIS validates the code for correctness and validity period. 7. If the code is valid, Withdrawal Protection is activated and the status is updated to **Enabled**. 8. If the code is invalid or expired, activation does not complete and the feature remains in its prior state. 9. If needed, the user must request a new code and repeat the verification step. ## Deactivation Policy To disable Withdrawal Protection, BASIS follows the process below: 1. The user navigates to **Security Settings** within the BASIS account. 2. The user selects the option to disable **Withdrawal Protection**. 3. BASIS generates and sends a 6-digit verification code to the account's registered email address. 4. The current feature state remains unchanged while verification is pending. 5. The user retrieves the code from the registered email account and enters it into the BASIS verification interface. 6. BASIS validates the code for correctness and validity period. 7. If the code is valid, Withdrawal Protection is deactivated and the status is updated to **Disabled**. 8. If the code is invalid or expired, deactivation does not complete and the feature remains in its prior state. 9. If needed, the user must request a new code and repeat the verification step. ## Withdrawal Authentication Flow When Withdrawal Protection is enabled, email verification is required before withdrawal details can be submitted. The verification step appears immediately when the user initiates a withdrawal. 1. The user selects **Withdraw** for the relevant asset. 2. BASIS immediately presents a **Verification Required** modal before any withdrawal details are entered. 3. BASIS sends a 6-digit verification code to the registered email address associated with the account. 4. The user retrieves the code from their registered email and enters it into the verification prompt. 5. The user clicks **Verify & Continue**. 6. BASIS validates the code for correctness and validity period. 7. If the code is valid, the user proceeds to the withdrawal detail entry screen. 8. For non-BTC assets (ETH, SOL, PAXG), the user connects a Web3 wallet to provide the destination address and complete the withdrawal. 9. For BTC, no wallet connection is required. The user enters the destination address directly and submits the withdrawal. 10. If the code is invalid or expired, the withdrawal flow does not proceed. 11. If the code expires, the user must request a new code and repeat the verification step. {% hint style="info" %} The email verification modal appears before withdrawal details are entered. For non-BTC assets, wallet connection occurs after successful verification, not before. {% endhint %} ## Verification Code Specifications | Parameter | Specification | Control Note | | --------------------------- | --------------------------------------------------- | ----------------------------------------------------------------------------- | | Code format | 6 digits | Numeric only | | Delivery channel | Registered email address | Sent only after a protected action is initiated | | Validity period | 10 minutes from issuance | Expired codes cannot authorize the action | | Reissue requirement | New code required after expiry | The prior code cannot be reused after expiration | | Maximum attempts | 3 attempts per code | The code is invalidated after 3 failed attempts; a new code must be requested | | Protected actions | Activation, deactivation, and withdrawal initiation | Applies only to supported protected workflows | | Confidentiality requirement | Must not be shared with any third party | Treat the code as a confidential authorization factor | ## How Withdrawal Protection Defends You Withdrawal Protection is designed to reduce the probability that a single point of failure can lead to unauthorized asset movement. It is particularly effective against common account takeover and operational abuse scenarios. ### Session hijacking If an attacker obtains access to an active BASIS session through a stolen browser cookie, compromised workstation, or unattended terminal, the attacker may appear authenticated within the platform. Withdrawal Protection adds a separate verification requirement through the registered email account before withdrawal submission or feature state changes can be completed. This reduces the likelihood that session access alone is sufficient to authorize asset movement. ### Phishing In phishing scenarios, a user may be tricked into disclosing account credentials or interacting with a fraudulent login page. Even if credentials are exposed, Withdrawal Protection creates an additional barrier by requiring access to the registered email account to complete the protected action. This does not eliminate phishing risk, but it narrows the attacker's path to successful withdrawal execution. ### Credential theft Credentials can be compromised through password reuse, malware, endpoint compromise, or exposure in third-party breaches. Withdrawal Protection helps contain the impact of stolen credentials by introducing a second approval step that is separate from the login secret used to access the BASIS account. ### Unauthorized access Unauthorized access can arise from shared devices, weak operational controls, or misuse of delegated account access. Withdrawal Protection requires explicit verification through the registered email account before high-risk actions are completed, which helps reduce the risk of accidental or malicious withdrawal submission by an unauthorized party. {% hint style="warning" %} Withdrawal Protection is a compensating control, not a substitute for secure email operations, endpoint hardening, credential hygiene, and internal approval processes. Institutions should treat the registered email account as part of the custody control perimeter. {% endhint %} ## Security Best Practices ### Secure the registered email account * Use a unique, high-entropy password for the registered email account * Store credentials in an approved password manager rather than in browsers or unsecured notes * Enable multi-factor authentication on the email account, preferably with phishing-resistant methods where available * Review mailbox forwarding rules, recovery addresses, delegated access, and sign-in history on a regular basis * Remove obsolete recovery methods and revoke access for former personnel or unused devices * For institutional deployments, use a controlled corporate mailbox with clear ownership, access logging, and monitored security alerts ### Secure access to BASIS * Enable all available BASIS security controls that are applicable to your account model * Access BASIS only from trusted devices that are patched, encrypted, and protected by endpoint security controls * Avoid shared browsers, unmanaged devices, and public networks for withdrawal-related activity * Verify that you are using the correct BASIS domain before signing in or entering verification codes * Maintain strict internal approval procedures for wallet changes and withdrawal execution ### Verify every withdrawal deliberately * Review the destination address, network, asset, amount, and beneficiary context before entering a verification code * Confirm that the withdrawal matches internal authorization records and treasury instructions * Do not rely on email links alone to access the platform. Prefer direct navigation through a trusted bookmark or approved internal access path ### If you receive an unexpected verification code * Do not share the code * Do not enter the code anywhere unless you personally initiated the protected action * Log in to BASIS through a trusted path and review recent account activity * Review the security of the registered email account immediately * Change account credentials and rotate email credentials if compromise is suspected * Escalate the event through your internal security process and contact BASIS support if unauthorized activity is suspected {% hint style="danger" %} An unexpected withdrawal verification email should be treated as a potential security event. If you did not initiate the action, assume that account credentials, an authenticated session, or the registered email account may have been targeted until proven otherwise. {% endhint %} ## User Responsibilities Users are responsible for the secure operation of Withdrawal Protection and for protecting the channels on which it depends. 1. You must maintain secure and exclusive control over the registered email account. 2. You must not disclose verification codes to any third party under any circumstance. 3. You must verify the legitimacy of each protected action before entering a code. 4. You must investigate unexpected verification emails immediately. 5. You must keep the registered email address current, accessible, and protected by appropriate security controls. 6. You must ensure that personnel with withdrawal authority understand that a verification code is an authorization factor and must be handled as confidential security data. 7. You must follow your internal incident response process if you suspect phishing, credential compromise, mailbox compromise, or unauthorized access. {% hint style="warning" %} Successful entry of a valid verification code is treated as authorization for the pending protected action. Failure to secure the registered email account can materially reduce the effectiveness of this control. {% endhint %} ## UI Reference | Feature Name | Description | Status Values | | --------------------- | -------------------------------------------------------------------------------------------------------------------- | ----------------- | | Withdrawal Protection | Applies email verification to enabling the feature, disabling the feature, and the initiation of withdrawal requests | Enabled, Disabled | **UI behavior note** * During activation or deactivation, the displayed status does not change until the verification code is successfully validated * During withdrawal initiation, the withdrawal flow cannot proceed until the verification step is completed successfully --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.basis.pro/getting-started/withdrawal-protection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.