Let’s assume you enabled 2FA on your GDAX/Coinbase account. Currently, you cannot withdraw funds from GDAX to outside address or bank account without two-factor authentication (2FA).
However, you can move the funds from GDAX to Coinbase account and from there you can then send them to outside address without 2FA! I consider this a security flaw and will demonstrate the issue in the example below.
If for example, you have a device (PC/MAC/Mobile, etc.) where you have activated “remember me for 30 days” feature to avoid providing 2FA everytime you log in, this device becomes a target for potential theft. Once someone will get an access to this device and steal your login credentials, they can then move the funds from GDAX to Coinbase and from there move it to an outside address to which you no longer have access. GDAX and Coinbase share the security settings (including login details), so attacker needs just your login details to access both platforms to action it.
Vulnerability above assumes that attacker will gain access to login credentials and to the device with active “remember me for 30 days”, so please make sure you have both secured very well if you happen to have this kind of set up.
@COINBASE: kindly fix it pls!