Topic: Electrum 2FA (Read 348 times)

Aside from user-friendliness concern which already mentioned by @bob123, it's trade-off between 1 large pre-payment and locking your Bitcoin on LN channel for some time. Don't forget about fees when open/close LN channel, which could be higher than 2FA fee if user rarely make transaction.

Those people will hopefully also read all the replies which state that the person agreed to pay that fee by choosing to create a 2FA wallet.

I wouldn't say a majority doesn't read stuff like that. The people who don't read this when creating a wallet are the people who will lose their coins in the future due to not paying attention to the importance of their mnemonic code or OpSec.

While i don't have any reliable data for this, i don't think this applies to the majority.




But this would also mean that the user has to use the lightning network.
That would be too much for newbies and isn't necessary yet. I think this would overcomplicate things for them.

Generally, i agree with this. This would be nice feature to have.

they could switch to lightning. that way people can pay per transaction. this would remove the shock of that large prepayment.

That's why I said it's not feasible. Newbies may feel cheated by that bulk payment and move away from that solution exactly after they actually paid for it.
I know that people should read before opting in, but I also know that the vast majority doesn't... However people will then read their complaints.
However, I guess that we have to agree that's a topic we have different/opposite points of view and move forward. 

If we are adding a new device requirement then it doesn't have to reduce privacy any more than it currently is. The setup could be like this (and works only for SegWit transactions since their txid doesn't change with signature):
1. The user creates a transaction, computes its transaction ID, signs it and sends it to the TrustedCoin servers to sign.
2. The TrustedCoin server does what it already does (verify tx,...) without signing. Instead it sends the transaction ID to that secondary device of the user (an SMS for instance) to verify before it signs it.
3. The user sees and verifies the txid is the same and approves it.
4. The TrustedCoin server receives the approval and signs the transaction and sends it back/broadcast it to the network.

To prevent the "middleman" from knowing the transaction ID and linking it to the phone owner for example we can send something else instead of the txid itself. It could be HMACSHA256 of the transaction ID by first communicating a "key" between the server and the user and compute the hash like this:
Now the SMS contains a hash that can not be connected to user's tx without knowing that "hmac key" but the user can still verify it.

I think if we were to ignore the privacy part, since both Electrum and TrustedCoin would compromise privacy anyways.

Would it be better for TrustedCoin to be able to send a message containing the address to the user's 2FA app? Something like this[1] so it becomes more like a push notification. It eliminates the risks of having a malware, unless both the user's device and the computer are compromised. The main caveat that I can see from this is that it involves giving another party the transaction information which actually eliminates the privacy aspect completely at this point. At the same time, you can probably trust that the malware cannot modify whatever is displayed on the phone and that Authy or whichever provider is as trustworthy as TrustedCoin.

[1] https://gemini.com/blog/introducing-authy-push

The problem is that no matter what you do, the user ends up having to enter that passphrase or decrypt the wallet on their system. If that system is compromised then the malware has the same access as the user and unless they verify things on both sides (the system and the 2FA where the second signature is generated) that malware can still do its thing by interrupting the communication and letting the user think they are communicating with the second party while the malware is.

This part is why I've been fiddling with Electrum's codebase trying to add a different authentication method. I'm trying to make it so that Electrum encrypts the wallet file with the password and otp key so that trustedcoin is not needed.

I guess I could make it a plugin where it will be more accessible to people, but Electrum's plugin documentation is sparse.

For you and me? Probably not... for someone who wants something that is arguably more secure than a standard wallet and doesn't involve them having to learn how MultiSig actually works and uses a system (Google Authenticator) they're probably already familiar with? maybe?

I wouldn't mind if the installer actually had big giant bold letters explaining how the system was going to work, that their first send transaction would add the extra fee and forced the user to actually see and agree to the fees BEFORE they finished creating the wallet...

Even a pop-up during any "send" transaction where the additional fee is going to be added because the user has no credit would be a good step... at least then users would have a better understanding of why the extra 0.001 or 0.0025 BTC is being added to the transaction and sent to some "random" address


It used to be a couple of cents and was charged per transaction... then BTC became more valuable and popular... and it was no longer financially viable for TrustedCoin to be collecting all the small "dust" payments.

So, they moved to the "credit" based system that requires a bulk purchase.
He was trying to design an OTP system that didn't rely on a third party... ie. you could still require the 2FA app on your phone, but it would be just your Electrum wallet and your 2FA app... no third party involved.

Honestly, I would have thought that the easier system would probably just be running a 2-of-2 MultiSig than attempting to mess around with OTP codes...

the otp is not used to encrypt anything. it's a 2 of 3 multisig wallet with only one of 3 extended private keys stored in the wallet file. during normal usage you have to get trusted coin to sign the transaction with their key so that the transaction goes through. they are the ones that make you enter the otp code.

Thanks. Good that they have that stated in the disclaimer. I never really used them other than for some troubleshooting with the users here, I missed that line.

So after trying to design a scheme to add TOTP as a second step for opening Electrum wallets I ran into a major problem. There is no safe way to encrypt the wallet.dat using both the password and OTP result.

OTP requires two parties store the secret key independently from each other, but in this case the "parties" are you, in the form of your phone, and the Electrum wallet. The wallet has no safe place to store the secret key short of encrypting it with the password, but that nullifies the benefits of 2FA since the password can now be used to obtain the secret key. This means that if you know the password then the 2FA result can be trivially guessed so it's no more secure than using a single password.

There is also the equally as important issue of how the OTP result can be used to encrypt the wallet.dat. Passwords are currently stretched with PBKDF2 HMAC-SHA512 with an empty salt. We have the option of either using the OTP result or the secret key as the salt. If we use the secret key, it has to be transmitted with TLS from a secure place where it's stored (possibly from some other local system with a key store for OTP secret keys), but there is a risk that a buggy implementation might inadvertently expose it in plaintext. And of course OTP results can't be used for encryption because they are constantly changing and there's no way to create them again without the secret key. And the whole point of OTP is to keep the secret key somewhere safe.

And without encrypting the wallet.dat using something derived from the secret key, anyone that can brute force the password can unlock the wallet which is a loophole in this 2FA setup that reverts it to the 1FA we presently have...

So this is doable but our best shot is in using some established key store software like libsodium to keep the secret keys in, securely transmit it to the wallet to use as a salt, and hope that I don't write something stupid that gets the key leaked. (Libsodium is how Github stores repositories' API keys for third party publishing and testing services)

It's worth noting that a Google Chrome on Linux uses a password-protected PGP key and GPG software to encrypt all of its saved logins and passwords so I can definitely see me using some command-line tool to encrypt the secret keys to a file as well.

Never did.
But newbies do use it and get in trouble. And I'm with @ranochigo here: it's rather unpleasant to find out suddenly that you've lost almost 50$ for this.
As a newbie you may even think that you got hacked.

If it would have costed a couple of cents per transaction (i.e. dust) and not paid in such big bulk then maybe it would worth it. But that's not feasible and as it is it may erode the actual reputation of the wallet.

I agree. I just made a post describing how 2FA has it's shortcoming in another thread. Most newbies think that 2FA would protect them from most attacks as well. The range of possible cases that they would be protected from isn't stated or discussed anywhere. I feel that this is at the very least misleading, but perhaps not to the fault of Electrum.


There seems to be a lot more confusion about why Electrum is suddenly putting a 0.001BTC output. Why doesn't Electrum put the payment preference to the start of the screen for the user to configure? At least that'll make it clearer that they're paying X to X and clear any confusion. I believe that's an UI issue but it would help a bit if they were to change it slightly.

It doesn't, but I want to hear about why TrustedCoin 2FA could be useful for some. Which is why I created this thread for a discussion from both sides of the camp.

I acknowledge that it does help the user to a certain extent, is the fees being charged (0.000025BTC/tx) and considering that some would change to a HW wallet before they finish using the credit reasonable for the level of security provided?

Electrum makes you store the 2FA code on your phone in an Authenticator app, so malware compromising the computer isn't going to reveal the 2FA codes.

I'm not sure why there is so much "hate" for 2FA in Electrum? Sure it might not be useful to you or I personally (like web wallet services or paper wallets)... but there are definitely use-cases for it.

Is that not true of any 2FA implementation tho? I don't see this as being exclusively an "Electrum 2FA" issue. It's like a lock on your front door, it'll stop a random person from walking off the street and into your house, but it isn't going to stop a determined burglar who will just put a brick through your window

These sorts of mechanisms are designed to offer "added" security... not "total" security... as per the Electrum doc that you quote:
Why? If you don't like it... there is an easy option: don't use it!

Just because it doesn't protect all users in all situations (Spoiler: no security setup does or can), doesn't necessarily make it "bad"...

I use 2FA (prefer U2F) on every site its available, in general, but not where I am NOT the holder of the second credential.  Using a Trezor along with Electrum, to me, is the ultimate 2FA of sorts.  My Electrum wallets are encrypted/locked to the hardware wallet so there is NO opening my wallets without the hardware wallet present.  Electrum alone cannot protect against a malware infected computer.  For this reason many elect to use Air gapped (two computers) to guard against this risk.  I find it easier to simply code and use a hardware wallet.  They both work well so its a preference thing.

Rather than TrustedCoin, I would like the ability to send a TOTP code to Authenticator as an optional supplement to password entry. It would not be hard to implement, since there is no third party involved. Only a secret key needs to be generated, possibly wrapped in a QR code, and then HMAC hashing for the code needs to be implemented as well.

I really want to see if it's something I can hack together in 6 hours. It only involves adding a screen in the wallet creation wizard and another menu option.

With this 2FA there is no need for this third party service but it must stay in Electrum for compatibility reasons for people already using it, and it's free and saves you from paying "ransom" to some intermediary for every few transactions you make.

I find it to this day overpriced and not really useful.
As already said, if the computer has malware on it from start 2FA will not help.

A simple math tells that if you plan to do at least 150 transactions you'll get a hardware wallet in the same money (and I didn't count the extra you'd pay in the tx fees because of multisig).

With all due respect for the brilliant piece of software Electrum is, this 2FA feature caused more troubles to newbies than helping them and now it's time to think seriously that it should be retired.