The Binance Device Management page shows all devices currently holding a login session and the login history for the last 30 days. It is a must-check item for monthly account security reviews. The core actions are Regular Inspection → Identify Unfamiliar Devices → Force Logout → Change Password. Combined with login notifications, you can detect anomalies at the earliest possible moment. The entry point is on the Binance official website under Security Center → Device Management; the path is identical on the mobile app after downloading the Binance Official App. This article explains the interface, IP/location identification, handling unfamiliar devices, session mechanisms, auto-cleaning strategies, MDM-style self-checks, cross-device synchronization, and emergency workflows across 8 sections.
1. Understanding the Device Management Interface
Log in to the Binance web version → Avatar in the top right → Security → Account Security section → Device Management. You will see two lists:
Active Devices
Each row displays:
| Field | Meaning | Example |
|---|---|---|
| Device | Device Identification | Chrome 126 on macOS 14.5 |
| IP Address | IP at Login | 203.0.113.42 |
| Location | IP Geolocation | Hong Kong, HK |
| Last Active | Most Recent Activity | 2026-04-14 14:12 UTC |
| Status | Current Status | Online / Offline |
| Action | Action Button | Remove |
Login History
Records all login events for the last 30 days:
| Field | Description |
|---|---|
| Date | Time of Login |
| IP | Source IP |
| Device | Device identified by UA |
| Location | Country + City |
| Status | Success/Failed |
| 2FA Method | Authenticator/SMS/Email |
3 Signals to Identify Anomalies: Cities you've never visited, browsers you've never used, or logins at 3 AM.
2. IP and Location Identification
Normal IP Characteristics
- Matches the ISP address range of your current city (e.g., AT&T, Verizon, China Telecom).
- May jump to another city (e.g., a regional hub) when switching mobile 4G/5G.
- Displays the VPN exit IP when using a VPN or proxy.
- Corporate Wi-Fi may display the headquarters' IP.
Abnormal IP Characteristics
- High-frequency attack sources like Russia, Vietnam, India, or Nigeria (unless you are actually there).
- IDC data center IPs (AWS/Google Cloud/DigitalOcean) when you never log in from a server.
- Tor exit nodes.
- Jumping across multiple locations in a short timeframe (physically impossible travel).
How to Check IP Geolocation
You can check the owner of a login IP on the following sites:
https://ipinfo.io/203.0.113.42
https://ipinfo.io/ (automatic current IP check)
The returned JSON fields like org, country, city, and asn allow for quick identification. IDC IPs usually show an org like AS14061 DigitalOcean or AS16509 Amazon.
3. Workflow for Handling Unfamiliar Devices
If you discover a suspicious device, follow these 5 steps:
Step 1: Force Logout Immediately
Click Remove next to the unfamiliar device → 2FA verification → Confirm logout. The session token for that device will expire immediately, making it impossible for others to continue even if they have cookies.
Step 2: Change Password
Security Center → Change Password → Set a new 12+ character password → 2FA verification. Changing the password will force all devices (including your own) to log out, requiring a re-login.
Step 3: Reset 2FA
Security Center → Disable Authenticator → Re-bind immediately. Reason: If an attacker has obtained your 2FA secret (rare), they could still generate TOTPs; resetting invalidates the old secret.
Step 4: Clean Up API Keys
API Management → Delete any unfamiliar API Keys. Even after a force logout, API Keys do not rely on sessions; only deletion cuts off access entirely.
Step 5: Check Assets
- Assets → Trade History: Check for unfamiliar orders in the last 7 days.
- Assets → Withdrawal History: Check for unfamiliar addresses in the last 30 days.
- Assets → API Trade History: Check for high-frequency arbitrage orders.
- If anomalies are found, immediately submit a support ticket to freeze the account.
4. Session Mechanism and Token Validity
Binance Web uses a JWT + Refresh Token scheme:
| Token Type | Validity | Storage Location | Revocation Method |
|---|---|---|---|
| Access Token | ~15 Minutes | Cookie (HttpOnly) | Auto-expiration |
| Refresh Token | 30 Days | Cookie (HttpOnly) | Logout via Device Management |
| API Key | Permanent until deleted | User-saved | Delete via API Management |
| WebSocket Token | 60 Minutes | In-session | Disconnect |
A session will auto-log out after 30 days of inactivity. However, an attacker with a Refresh Token can maintain access, which is why "Logout via Device Management" is a critical action—it blacklists the Refresh Token on the server.
5. Automated Cleaning Strategies
Weekly Self-Check Script (Python Example, Read-only)
import requests
import time
import hmac
import hashlib
import os
API_KEY = os.getenv('BINANCE_API_KEY')
API_SECRET = os.getenv('BINANCE_API_SECRET')
def sign(params):
query = '&'.join([f'{k}={v}' for k, v in params.items()])
sig = hmac.new(API_SECRET.encode(), query.encode(), hashlib.sha256).hexdigest()
return query + '&signature=' + sig
# Query login history for the last 30 days (requires SAPI endpoint availability)
params = {'timestamp': int(time.time() * 1000)}
# Example URL (Note: Actual Device Management endpoint may differ from standard API)
# url = 'https://api.binance.com/sapi/v1/account/login/history'
# resp = requests.get(url, params=sign(params), headers={'X-MBX-APIKEY': API_KEY})
Note: Currently, Binance does not have a public API for querying the device list. This example only illustrates the signing method for querying trade history via API. Device management must be checked manually via web or app.
Manual Review Cadence
| Frequency | Action |
|---|---|
| Daily | Check if email login notifications match actual logins. |
| Weekly | Check Active Devices in Device Management once. |
| Monthly | Clear historical devices with "Offline" status once. |
| Quarterly | Change password and update 2FA backups. |
| Annually | Re-evaluate the use of hardware keys like YubiKey. |
6. MDM-Style Security Checklist
Maintain a checklist for your account like a company manages mobile devices:
binance_account:
primary_email: [email protected]
uid: 123456789
2fa:
type: Google Authenticator
backup_key_location: 1Password + Physical Safe
last_verified: 2026-04-14
anti_phishing_code: Sky7Whale-FV
withdrawal_whitelist:
enabled: true
mode: strict
addresses:
- {coin: BTC, label: Ledger-1, added: 2026-01-15}
- {coin: USDT-TRC20, label: Exchange-Main, added: 2026-01-20}
devices:
trusted:
- {name: MacBook Pro M3, ip_range: 203.0.113.0/24}
- {name: iPhone 15 Pro, ip_range: mobile}
last_review: 2026-04-14
api_keys:
- {label: Trading Bot, perms: [spot_read, spot_trade], ip_whitelist: [x.x.x.x]}
Store this YAML in 1Password and compare it against the actual settings during quarterly reviews.
7. App and Web Synchronization
Device Management data is consistent between the web and app versions, but the entry points differ:
| Platform | Path |
|---|---|
| Web | Avatar → Security → Device Management |
| iOS App | Top-left avatar → Security → Logged-in Devices |
| Android App | Same as iOS |
| PC Client | Top-right avatar → Security → Devices |
When logged into the app, the web version will display labels like iPhone 15 Pro · iOS 17.4, allowing for quick cross-referencing.
8. Emergency Response Workflow
When you are certain your account has been compromised:
Step 1 [0-1 min] Log in to binance.com → Change Password
Step 2 [1-3 min] Device Management → Force Logout all devices
Step 3 [3-5 min] Support Center → Request emergency account freeze
Step 4 [5-10 min] Delete all API Keys
Step 5 [10-30 min] Check trade/withdrawal history → Take screenshots as evidence
Step 6 [30-120 min] Submit appeal materials + ID photos
Step 7 [2-7 days] Await manual customer support processing
Once the account is frozen, the attacker cannot perform actions even if they still have API Keys or tokens.
FAQ
Q1: Will an attacker know immediately after a force logout?
A: The attacker's browser will return a 401 Unauthorized on the next API request, and most interfaces will automatically jump back to the login page. They will not receive push notifications (those go to your account), so your action is "silent" to them.
Q2: I see a city in Device Management I've never been to, but the IP is IDC. What should I do?
A: It is likely a VPN node you used. Check if you used services like ExpressVPN or NordVPN and connected to that region's node. If you rule out VPN use, follow the unfamiliar device workflow immediately.
Q3: Login history only keeps 30 days; can I get a longer history?
A: No. The Binance web version only opens up 30 days. For longer records, you can regularly take screenshots yourself or trace back using the "Login Notification" emails in your inbox (which can be kept indefinitely in Gmail).
Q4: After logging out from the App, are cookies still useful in the browser?
A: No. Logging out marks the Refresh Token as invalid on the server side. Any device (including browsers) holding an old token will be rejected on the next request.
Q5: Will I need to re-verify 2FA after changing my SIM card?
A: Yes. Binance identifies a SIM change as a "New Device Characteristic," requiring re-verification of 2FA and email before allowing continued use. This is a design feature to prevent SIM Swapping.
Keep reading: Return to the Category Navigation and enter the "Security Hardening" category to view tutorials on login notifications, 2FA recovery, and more.