Withdrawal Protection
This page explains how BASIS uses email-based verification to protect withdrawal-sensitive actions and reduce the risk of unauthorized asset movement.
Overview
Withdrawal Protection is a security control within BASIS designed to strengthen asset protection for high-risk account actions. It is built on zero-trust architecture principles and applies a defense-in-depth model to withdrawal workflows by requiring a separate email-based verification step before sensitive actions are completed. When enabled, BASIS does not rely solely on an authenticated session or account password to authorize changes that can affect asset custody. Instead, the platform requires confirmation through the registered email address before enabling or disabling the feature and before the final submission of a withdrawal request. This control is optional, but it is strongly recommended for every account with withdrawal privileges, especially accounts operating under institutional treasury, trading, or delegated access models.
Withdrawal Protection materially improves resistance to unauthorized withdrawals, but its effectiveness depends on the security of the registered email account. If the mailbox is compromised, the protection boundary is weakened.
Feature Definition
Withdrawal Protection applies a 6-digit email verification requirement to the following actions:
Enable Withdrawal Protection
A 6-digit verification code is sent to the registered email address
The feature is enabled only after successful code verification
Disable Withdrawal Protection
A 6-digit verification code is sent to the registered email address
The feature remains enabled until successful code verification
Final submission of a withdrawal request
A 6-digit verification code is sent to the registered email address when the user confirms the withdrawal
The withdrawal request is submitted only after successful code verification
Key control behavior
The protected action is not completed at the moment the user clicks the initial confirmation button
BASIS holds the action in a pending verification state until a valid code is entered
If verification fails, expires, or is abandoned, the protected action is not completed
Activation Policy
To enable Withdrawal Protection, BASIS follows the process below:
The user navigates to Security Settings within the BASIS account.
The user selects the option to enable Withdrawal Protection.
BASIS generates and sends a 6-digit verification code to the account's registered email address.
The current feature state remains unchanged while verification is pending.
The user retrieves the code from the registered email account and enters it into the BASIS verification interface.
BASIS validates the code for correctness and validity period.
If the code is valid, Withdrawal Protection is activated and the status is updated to Enabled.
If the code is invalid or expired, activation does not complete and the feature remains in its prior state.
If needed, the user must request a new code and repeat the verification step.
Deactivation Policy
To disable Withdrawal Protection, BASIS follows the process below:
The user navigates to Security Settings within the BASIS account.
The user selects the option to disable Withdrawal Protection.
BASIS generates and sends a 6-digit verification code to the account's registered email address.
The current feature state remains unchanged while verification is pending.
The user retrieves the code from the registered email account and enters it into the BASIS verification interface.
BASIS validates the code for correctness and validity period.
If the code is valid, Withdrawal Protection is deactivated and the status is updated to Disabled.
If the code is invalid or expired, deactivation does not complete and the feature remains in its prior state.
If needed, the user must request a new code and repeat the verification step.
Withdrawal Authentication Flow
When Withdrawal Protection is enabled, the final submission of a withdrawal request requires an additional verification step. The withdrawal flow operates as follows:
The user enters the withdrawal details, including asset, amount, destination address, network, and any required transfer metadata.
The user reviews the withdrawal details and selects Confirm Withdrawal.
BASIS checks the account security configuration and detects that Withdrawal Protection is Enabled.
Instead of immediately submitting the withdrawal for processing, BASIS pauses the workflow and presents an email verification step.
BASIS sends a 6-digit verification code to the registered email address associated with the account.
The user accesses the registered email account through a trusted channel and retrieves the code.
The user enters the code into the verification prompt within the BASIS withdrawal interface.
BASIS validates the code against the pending withdrawal action and checks that the code is still within its validity window.
If the code is valid, BASIS submits the withdrawal request for normal downstream processing.
If the code is invalid, expired, or not entered, the withdrawal request is not submitted.
If the code expires, the user must request a new code and complete verification before the withdrawal can proceed.
Withdrawal Protection applies to the final authorization step for a withdrawal. Entering withdrawal details alone does not cause the request to be submitted while the feature is active.
Verification Code Specifications
Code format
6 digits
Numeric only
Delivery channel
Registered email address
Sent only after a protected action is initiated
Validity period
10 minutes from issuance
Expired codes cannot authorize the action
Reissue requirement
New code required after expiry
The prior code cannot be reused after expiration
Protected actions
Activation, deactivation, and final withdrawal submission
Applies only to supported protected workflows
Confidentiality requirement
Must not be shared with any third party
Treat the code as a confidential authorization factor
How Withdrawal Protection Defends You
Withdrawal Protection is designed to reduce the probability that a single point of failure can lead to unauthorized asset movement. It is particularly effective against common account takeover and operational abuse scenarios.
Session hijacking
If an attacker obtains access to an active BASIS session through a stolen browser cookie, compromised workstation, or unattended terminal, the attacker may appear authenticated within the platform. Withdrawal Protection adds a separate verification requirement through the registered email account before withdrawal submission or feature state changes can be completed. This reduces the likelihood that session access alone is sufficient to authorize asset movement.
Phishing
In phishing scenarios, a user may be tricked into disclosing account credentials or interacting with a fraudulent login page. Even if credentials are exposed, Withdrawal Protection creates an additional barrier by requiring access to the registered email account to complete the protected action. This does not eliminate phishing risk, but it narrows the attacker's path to successful withdrawal execution.
Credential theft
Credentials can be compromised through password reuse, malware, endpoint compromise, or exposure in third-party breaches. Withdrawal Protection helps contain the impact of stolen credentials by introducing a second approval step that is separate from the login secret used to access the BASIS account.
Unauthorized access
Unauthorized access can arise from shared devices, weak operational controls, or misuse of delegated account access. Withdrawal Protection requires explicit verification through the registered email account before high-risk actions are completed, which helps reduce the risk of accidental or malicious withdrawal submission by an unauthorized party.
Withdrawal Protection is a compensating control, not a substitute for secure email operations, endpoint hardening, credential hygiene, and internal approval processes. Institutions should treat the registered email account as part of the custody control perimeter.
Security Best Practices
Secure the registered email account
Use a unique, high-entropy password for the registered email account
Store credentials in an approved password manager rather than in browsers or unsecured notes
Enable multi-factor authentication on the email account, preferably with phishing-resistant methods where available
Review mailbox forwarding rules, recovery addresses, delegated access, and sign-in history on a regular basis
Remove obsolete recovery methods and revoke access for former personnel or unused devices
For institutional deployments, use a controlled corporate mailbox with clear ownership, access logging, and monitored security alerts
Secure access to BASIS
Enable all available BASIS security controls that are applicable to your account model
Access BASIS only from trusted devices that are patched, encrypted, and protected by endpoint security controls
Avoid shared browsers, unmanaged devices, and public networks for withdrawal-related activity
Verify that you are using the correct BASIS domain before signing in or entering verification codes
Maintain strict internal approval procedures for wallet changes and withdrawal execution
Verify every withdrawal deliberately
Review the destination address, network, asset, amount, and beneficiary context before entering a verification code
Confirm that the withdrawal matches internal authorization records and treasury instructions
Do not rely on email links alone to access the platform. Prefer direct navigation through a trusted bookmark or approved internal access path
If you receive an unexpected verification code
Do not share the code
Do not enter the code anywhere unless you personally initiated the protected action
Log in to BASIS through a trusted path and review recent account activity
Review the security of the registered email account immediately
Change account credentials and rotate email credentials if compromise is suspected
Escalate the event through your internal security process and contact BASIS support if unauthorized activity is suspected
An unexpected withdrawal verification email should be treated as a potential security event. If you did not initiate the action, assume that account credentials, an authenticated session, or the registered email account may have been targeted until proven otherwise.
User Responsibilities
Users are responsible for the secure operation of Withdrawal Protection and for protecting the channels on which it depends.
You must maintain secure and exclusive control over the registered email account.
You must not disclose verification codes to any third party under any circumstance.
You must verify the legitimacy of each protected action before entering a code.
You must investigate unexpected verification emails immediately.
You must keep the registered email address current, accessible, and protected by appropriate security controls.
You must ensure that personnel with withdrawal authority understand that a verification code is an authorization factor and must be handled as confidential security data.
You must follow your internal incident response process if you suspect phishing, credential compromise, mailbox compromise, or unauthorized access.
Successful entry of a valid verification code is treated as authorization for the pending protected action. Failure to secure the registered email account can materially reduce the effectiveness of this control.
UI Reference
Withdrawal Protection
Applies email verification to enabling the feature, disabling the feature, and the final submission of withdrawal requests
Enabled, Disabled
UI behavior note
During activation or deactivation, the displayed status does not change until the verification code is successfully validated
During withdrawal submission, the request is not submitted until the verification step is completed successfully
Last updated