The global settings lock is an enhanced security feature that helps prevent tampering of your account information by an attacker that has gained access to your account. When enabled, the following account information is locked and cannot be immediately changed:
- Account settings
- Withdrawal addresses
- Verification information (also hidden)
- Two-factor authentication (also hidden)
- API keys (also hidden)
The settings lock also hides certain sensitive information in your account. Your verification information won't be visible. If you've created API keys, they won't be visible. And setup information for two-factor authentication won't be visible (i.e. the setup keys and QR codes for Google Authenticator). Note that two-factor for funding and trading is ineffective without the settings lock.
Once the lock is turned on, settings can't be changed until an unlock request takes effect. The unlock request can take effect up to 30 days after the unlock request is made (the number of days is user-specifiable). If 0 is entered for the number of days to unlock, a master key will be required to unlock the settings (the master key should be created first). An email notification is immediately sent whenever an unlock request is made.
Suppose, for example, that you turn on the settings lock with the unlock process set to take seven days. Then someone gains access to your account and tries to change your settings (say they want to change your Bitcoin withdrawal address so they can withdraw your coins to their address). You would receive immediate email notification of the unlock request, and would have 7 days to stop the request before it took effect. When you discovered the unauthorized unlock request, you would contact support right away so we could take the necessary steps to protect your account.
It's possible to use the master key feature to override the lock (and thus unlock settings immediately), provided that you create the master key prior to locking. If the number of days to unlock is set to 0, then the master key will be required to unlock the settings (not just required to override the waiting period). This override option can be very convenient, but remember that the security benefit of the settings lock feature will only be good to the extent that your master key is kept safe. If someone gains access to both your account and the master key, the settings lock won't slow them down.