Author

Topic: Electrum 2FA (Read 381 times)

legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
December 18, 2020, 08:15:56 AM
#25
they could switch to lightning. that way people can pay per transaction. this would remove the shock of that large prepayment.

Aside from user-friendliness concern which already mentioned by @bob123, it's trade-off between 1 large pre-payment and locking your Bitcoin on LN channel for some time. Don't forget about fees when open/close LN channel, which could be higher than 2FA fee if user rarely make transaction.
legendary
Activity: 1624
Merit: 2481
December 17, 2020, 03:29:39 PM
#24
I know that people should read before opting in, but I also know that the vast majority doesn't... However people will then read their complaints.

Those people will hopefully also read all the replies which state that the person agreed to pay that fee by choosing to create a 2FA wallet.

I wouldn't say a majority doesn't read stuff like that. The people who don't read this when creating a wallet are the people who will lose their coins in the future due to not paying attention to the importance of their mnemonic code or OpSec.

While i don't have any reliable data for this, i don't think this applies to the majority.



they could switch to lightning. that way people can pay per transaction. this would remove the shock of that large prepayment.

But this would also mean that the user has to use the lightning network.
That would be too much for newbies and isn't necessary yet. I think this would overcomplicate things for them.

Generally, i agree with this. This would be nice feature to have.
legendary
Activity: 3710
Merit: 1586
December 15, 2020, 03:39:33 PM
#23
they could switch to lightning. that way people can pay per transaction. this would remove the shock of that large prepayment.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
December 15, 2020, 04:46:11 AM
#22
If it would have costed a couple of cents per transaction (i.e. dust) and not paid in such big bulk then maybe it would worth it. But that's not feasible and as it is it may erode the actual reputation of the wallet.
It used to be a couple of cents and was charged per transaction... then BTC became more valuable and popular... and it was no longer financially viable for TrustedCoin to be collecting all the small "dust" payments.

So, they moved to the "credit" based system that requires a bulk purchase.
TrustedCoin previously supported paying on a per-transaction (as opposed to batch) basis but had to discontinue support for this due to mining fees.

That's why I said it's not feasible. Newbies may feel cheated by that bulk payment and move away from that solution exactly after they actually paid for it.
I know that people should read before opting in, but I also know that the vast majority doesn't... However people will then read their complaints.
However, I guess that we have to agree that's a topic we have different/opposite points of view and move forward.  Wink
legendary
Activity: 3472
Merit: 10611
December 14, 2020, 11:43:49 PM
#21
The problem is that no matter what you do, the user ends up having to enter that passphrase or decrypt the wallet on their system. If that system is compromised then the malware has the same access as the user and unless they verify things on both sides (the system and the 2FA where the second signature is generated) that malware can still do its thing by interrupting the communication and letting the user think they are communicating with the second party while the malware is.
I think if we were to ignore the privacy part, since both Electrum and TrustedCoin would compromise privacy anyways.

Would it be better for TrustedCoin to be able to send a message containing the address to the user's 2FA app? Something like this[1] so it becomes more like a push notification. It eliminates the risks of having a malware, unless both the user's device and the computer are compromised. The main caveat that I can see from this is that it involves giving another party the transaction information which actually eliminates the privacy aspect completely at this point. At the same time, you can probably trust that the malware cannot modify whatever is displayed on the phone and that Authy or whichever provider is as trustworthy as TrustedCoin.

[1] https://gemini.com/blog/introducing-authy-push
If we are adding a new device requirement then it doesn't have to reduce privacy any more than it currently is. The setup could be like this (and works only for SegWit transactions since their txid doesn't change with signature):
1. The user creates a transaction, computes its transaction ID, signs it and sends it to the TrustedCoin servers to sign.
2. The TrustedCoin server does what it already does (verify tx,...) without signing. Instead it sends the transaction ID to that secondary device of the user (an SMS for instance) to verify before it signs it.
3. The user sees and verifies the txid is the same and approves it.
4. The TrustedCoin server receives the approval and signs the transaction and sends it back/broadcast it to the network.

To prevent the "middleman" from knowing the transaction ID and linking it to the phone owner for example we can send something else instead of the txid itself. It could be HMACSHA256 of the transaction ID by first communicating a "key" between the server and the user and compute the hash like this:
Code:
HMACSHA256(msg=txid, key=key)
Now the SMS contains a hash that can not be connected to user's tx without knowing that "hmac key" but the user can still verify it.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
December 14, 2020, 11:10:12 PM
#20
The problem is that no matter what you do, the user ends up having to enter that passphrase or decrypt the wallet on their system. If that system is compromised then the malware has the same access as the user and unless they verify things on both sides (the system and the 2FA where the second signature is generated) that malware can still do its thing by interrupting the communication and letting the user think they are communicating with the second party while the malware is.
I think if we were to ignore the privacy part, since both Electrum and TrustedCoin would compromise privacy anyways.

Would it be better for TrustedCoin to be able to send a message containing the address to the user's 2FA app? Something like this[1] so it becomes more like a push notification. It eliminates the risks of having a malware, unless both the user's device and the computer are compromised. The main caveat that I can see from this is that it involves giving another party the transaction information which actually eliminates the privacy aspect completely at this point. At the same time, you can probably trust that the malware cannot modify whatever is displayed on the phone and that Authy or whichever provider is as trustworthy as TrustedCoin.

[1] https://gemini.com/blog/introducing-authy-push
legendary
Activity: 3472
Merit: 10611
December 14, 2020, 11:01:53 PM
#19
the otp is not used to encrypt anything. it's a 2 of 3 multisig wallet with only one of 3 extended private keys stored in the wallet file. during normal usage you have to get trusted coin to sign the transaction with their key so that the transaction goes through. they are the ones that make you enter the otp code.

This part is why I've been fiddling with Electrum's codebase trying to add a different authentication method. I'm trying to make it so that Electrum encrypts the wallet file with the password and otp key so that trustedcoin is not needed.

I guess I could make it a plugin where it will be more accessible to people, but Electrum's plugin documentation is sparse.
The problem is that no matter what you do, the user ends up having to enter that passphrase or decrypt the wallet on their system. If that system is compromised then the malware has the same access as the user and unless they verify things on both sides (the system and the 2FA where the second signature is generated) that malware can still do its thing by interrupting the communication and letting the user think they are communicating with the second party while the malware is.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
December 14, 2020, 08:40:12 PM
#18
the otp is not used to encrypt anything. it's a 2 of 3 multisig wallet with only one of 3 extended private keys stored in the wallet file. during normal usage you have to get trusted coin to sign the transaction with their key so that the transaction goes through. they are the ones that make you enter the otp code.

This part is why I've been fiddling with Electrum's codebase trying to add a different authentication method. I'm trying to make it so that Electrum encrypts the wallet file with the password and otp key so that trustedcoin is not needed.

I guess I could make it a plugin where it will be more accessible to people, but Electrum's plugin documentation is sparse.
HCP
legendary
Activity: 2086
Merit: 4363
December 14, 2020, 04:40:02 PM
#17
I acknowledge that it does help the user to a certain extent, is the fees being charged (0.000025BTC/tx) and considering that some would change to a HW wallet before they finish using the credit reasonable for the level of security provided?
For you and me? Probably not... for someone who wants something that is arguably more secure than a standard wallet and doesn't involve them having to learn how MultiSig actually works and uses a system (Google Authenticator) they're probably already familiar with? maybe? Huh

I wouldn't mind if the installer actually had big giant bold letters explaining how the system was going to work, that their first send transaction would add the extra fee and forced the user to actually see and agree to the fees BEFORE they finished creating the wallet...

Even a pop-up during any "send" transaction where the additional fee is going to be added because the user has no credit would be a good step... at least then users would have a better understanding of why the extra 0.001 or 0.0025 BTC is being added to the transaction and sent to some "random" address Tongue


If it would have costed a couple of cents per transaction (i.e. dust) and not paid in such big bulk then maybe it would worth it. But that's not feasible and as it is it may erode the actual reputation of the wallet.
It used to be a couple of cents and was charged per transaction... then BTC became more valuable and popular... and it was no longer financially viable for TrustedCoin to be collecting all the small "dust" payments.

So, they moved to the "credit" based system that requires a bulk purchase.
the otp is not used to encrypt anything. it's a 2 of 3 multisig wallet with only one of 3 extended private keys stored in the wallet file. during normal usage you have to get trusted coin to sign the transaction with their key so that the transaction goes through. they are the ones that make you enter the otp code.
He was trying to design an OTP system that didn't rely on a third party... ie. you could still require the 2FA app on your phone, but it would be just your Electrum wallet and your 2FA app... no third party involved.

Honestly, I would have thought that the easier system would probably just be running a 2-of-2 MultiSig than attempting to mess around with OTP codes...
legendary
Activity: 3710
Merit: 1586
December 14, 2020, 03:15:13 PM
#16
So after trying to design a scheme to add TOTP as a second step for opening Electrum wallets I ran into a major problem. There is no safe way to encrypt the wallet.dat using both the password and OTP result.

OTP requires two parties store the secret key independently from each other, but in this case the "parties" are you, in the form of your phone, and the Electrum wallet. The wallet has no safe place to store the secret key short of encrypting it with the password, but that nullifies the benefits of 2FA since the password can now be used to obtain the secret key. This means that if you know the password then the 2FA result can be trivially guessed so it's no more secure than using a single password.

There is also the equally as important issue of how the OTP result can be used to encrypt the wallet.dat. Passwords are currently stretched with PBKDF2 HMAC-SHA512 with an empty salt. We have the option of either using the OTP result or the secret key as the salt. If we use the secret key, it has to be transmitted with TLS from a secure place where it's stored (possibly from some other local system with a key store for OTP secret keys), but there is a risk that a buggy implementation might inadvertently expose it in plaintext. And of course OTP results can't be used for encryption because they are constantly changing and there's no way to create them again without the secret key. And the whole point of OTP is to keep the secret key somewhere safe.

And without encrypting the wallet.dat using something derived from the secret key, anyone that can brute force the password can unlock the wallet which is a loophole in this 2FA setup that reverts it to the 1FA we presently have...

So this is doable but our best shot is in using some established key store software like libsodium to keep the secret keys in, securely transmit it to the wallet to use as a salt, and hope that I don't write something stupid that gets the key leaked. (Libsodium is how Github stores repositories' API keys for third party publishing and testing services)

It's worth noting that a Google Chrome on Linux uses a password-protected PGP key and GPG software to encrypt all of its saved logins and passwords so I can definitely see me using some command-line tool to encrypt the secret keys to a file as well.

the otp is not used to encrypt anything. it's a 2 of 3 multisig wallet with only one of 3 extended private keys stored in the wallet file. during normal usage you have to get trusted coin to sign the transaction with their key so that the transaction goes through. they are the ones that make you enter the otp code.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
December 14, 2020, 07:26:47 AM
#15

Thanks. Good that they have that stated in the disclaimer. I never really used them other than for some troubleshooting with the users here, I missed that line.
legendary
Activity: 1848
Merit: 2033
Crypto Swap Exchange
December 14, 2020, 07:23:53 AM
#14
In addition, if the malware existed since the creation of the wallet, the 2FA would be totally useless.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
December 14, 2020, 04:25:38 AM
#13
So after trying to design a scheme to add TOTP as a second step for opening Electrum wallets I ran into a major problem. There is no safe way to encrypt the wallet.dat using both the password and OTP result.

OTP requires two parties store the secret key independently from each other, but in this case the "parties" are you, in the form of your phone, and the Electrum wallet. The wallet has no safe place to store the secret key short of encrypting it with the password, but that nullifies the benefits of 2FA since the password can now be used to obtain the secret key. This means that if you know the password then the 2FA result can be trivially guessed so it's no more secure than using a single password.

There is also the equally as important issue of how the OTP result can be used to encrypt the wallet.dat. Passwords are currently stretched with PBKDF2 HMAC-SHA512 with an empty salt. We have the option of either using the OTP result or the secret key as the salt. If we use the secret key, it has to be transmitted with TLS from a secure place where it's stored (possibly from some other local system with a key store for OTP secret keys), but there is a risk that a buggy implementation might inadvertently expose it in plaintext. And of course OTP results can't be used for encryption because they are constantly changing and there's no way to create them again without the secret key. And the whole point of OTP is to keep the secret key somewhere safe.

And without encrypting the wallet.dat using something derived from the secret key, anyone that can brute force the password can unlock the wallet which is a loophole in this 2FA setup that reverts it to the 1FA we presently have...

So this is doable but our best shot is in using some established key store software like libsodium to keep the secret keys in, securely transmit it to the wallet to use as a salt, and hope that I don't write something stupid that gets the key leaked. (Libsodium is how Github stores repositories' API keys for third party publishing and testing services)

It's worth noting that a Google Chrome on Linux uses a password-protected PGP key and GPG software to encrypt all of its saved logins and passwords so I can definitely see me using some command-line tool to encrypt the secret keys to a file as well.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
December 14, 2020, 01:17:38 AM
#12
Why? If you don't like it... there is an easy option: don't use it! Tongue

Just because it doesn't protect all users in all situations (Spoiler: no security setup does or can), doesn't necessarily make it "bad"...

Never did.
But newbies do use it and get in trouble. And I'm with @ranochigo here: it's rather unpleasant to find out suddenly that you've lost almost 50$ for this.
As a newbie you may even think that you got hacked.

If it would have costed a couple of cents per transaction (i.e. dust) and not paid in such big bulk then maybe it would worth it. But that's not feasible and as it is it may erode the actual reputation of the wallet.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
December 13, 2020, 11:03:16 PM
#11
Is that not true of any 2FA implementation tho? Huh I don't see this as being exclusively an "Electrum 2FA" issue. It's like a lock on your front door, it'll stop a random person from walking off the street and into your house, but it isn't going to stop a determined burglar who will just put a brick through your window Tongue
I agree. I just made a post describing how 2FA has it's shortcoming in another thread. Most newbies think that 2FA would protect them from most attacks as well. The range of possible cases that they would be protected from isn't stated or discussed anywhere. I feel that this is at the very least misleading, but perhaps not to the fault of Electrum.


I've seen newbies get into trouble with Electrum, Mycelium, Bitcoin Core, Armory, Blockchain.com, Jaxx, Exodus etc... I don't think it's an Electrum 2FA issue. Wink
There seems to be a lot more confusion about why Electrum is suddenly putting a 0.001BTC output. Why doesn't Electrum put the payment preference to the start of the screen for the user to configure? At least that'll make it clearer that they're paying X to X and clear any confusion. I believe that's an UI issue but it would help a bit if they were to change it slightly.

Just because it doesn't protect all users in all situations (Spoiler: no security setup does or can), doesn't necessarily make it "bad"...
It doesn't, but I want to hear about why TrustedCoin 2FA could be useful for some. Which is why I created this thread for a discussion from both sides of the camp.

I acknowledge that it does help the user to a certain extent, is the fees being charged (0.000025BTC/tx) and considering that some would change to a HW wallet before they finish using the credit reasonable for the level of security provided?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
December 13, 2020, 04:55:13 PM
#10
If the computer gets compromised by malware, the OTP that could be captured can be used to get TrustedCoin to sign an alternate transaction.
Is that not true of any 2FA implementation tho? Huh I don't see this as being exclusively an "Electrum 2FA" issue. It's like a lock on your front door, it'll stop a random person from walking off the street and into your house, but it isn't going to stop a determined burglar who will just put a brick through your window Tongue

Electrum makes you store the 2FA code on your phone in an Authenticator app, so malware compromising the computer isn't going to reveal the 2FA codes.
HCP
legendary
Activity: 2086
Merit: 4363
December 13, 2020, 02:50:39 PM
#9
I'm not sure why there is so much "hate" for 2FA in Electrum? Huh Sure it might not be useful to you or I personally (like web wallet services or paper wallets)... but there are definitely use-cases for it.

If the computer gets compromised by malware, the OTP that could be captured can be used to get TrustedCoin to sign an alternate transaction.
Is that not true of any 2FA implementation tho? Huh I don't see this as being exclusively an "Electrum 2FA" issue. It's like a lock on your front door, it'll stop a random person from walking off the street and into your house, but it isn't going to stop a determined burglar who will just put a brick through your window Tongue

These sorts of mechanisms are designed to offer "added" security... not "total" security... as per the Electrum doc that you quote:
With all due respect for the brilliant piece of software Electrum is, this 2FA feature caused more troubles to newbies than helping them and now it's time to think seriously that it should be retired.
Why? If you don't like it... there is an easy option: don't use it! Tongue

Just because it doesn't protect all users in all situations (Spoiler: no security setup does or can), doesn't necessarily make it "bad"...
hero member
Activity: 761
Merit: 606
December 13, 2020, 02:38:07 PM
#8
I use 2FA (prefer U2F) on every site its available, in general, but not where I am NOT the holder of the second credential.  Using a Trezor along with Electrum, to me, is the ultimate 2FA of sorts.  My Electrum wallets are encrypted/locked to the hardware wallet so there is NO opening my wallets without the hardware wallet present.  Electrum alone cannot protect against a malware infected computer.  For this reason many elect to use Air gapped (two computers) to guard against this risk.  I find it easier to simply code and use a hardware wallet.  They both work well so its a preference thing.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
December 13, 2020, 02:17:37 PM
#7
Rather than TrustedCoin, I would like the ability to send a TOTP code to Authenticator as an optional supplement to password entry. It would not be hard to implement, since there is no third party involved. Only a secret key needs to be generated, possibly wrapped in a QR code, and then HMAC hashing for the code needs to be implemented as well.

I really want to see if it's something I can hack together in 6 hours. It only involves adding a screen in the wallet creation wizard and another menu option.

With this 2FA there is no need for this third party service but it must stay in Electrum for compatibility reasons for people already using it, and it's free and saves you from paying "ransom" to some intermediary for every few transactions you make.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
December 13, 2020, 12:08:21 PM
#6
I find it to this day overpriced and not really useful.
As already said, if the computer has malware on it from start 2FA will not help.

A simple math tells that if you plan to do at least 150 transactions you'll get a hardware wallet in the same money (and I didn't count the extra you'd pay in the tx fees because of multisig).

With all due respect for the brilliant piece of software Electrum is, this 2FA feature caused more troubles to newbies than helping them and now it's time to think seriously that it should be retired.
legendary
Activity: 2744
Merit: 3097
Top Crypto Casino
December 13, 2020, 11:58:14 AM
#5
I don't remember what TrustedCoin charges, but if you use your wallet a lot the fees might add up to the cost of a Ledger Nano or another affordable hardware wallet.
You can choose to either pay 0.001btc for a set of 20 transactions (0.00005 per tx) or 0.0025btc for 100 transactions (0.000025 per tx).
A Ledger Nano costs 59$ or around 0.003btc. So, it would be better to buy a hw if you are going to make more than 100 txs.

If someone has a second device to run the authenticator software, why don't he use it to create a 2 of 2 multisig wallet and save a lot of fees?!
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
December 13, 2020, 11:48:14 AM
#4
Does other kinds of seed phrase allow a third party to see the seeds?

If you allow Electrum to generate the seed phrase, you can see it by selecting "Wallet" from the menu, then clicking on "Seed."  You still need the password to display the seed phrase.  If you "restore" a wallet from a Bip39 seed phrase, that option will not be available. 
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
December 13, 2020, 11:40:54 AM
#3
I'm not a fan.  The idea of trusting a third party to sign my transactions seems to go against everything I've learned about crypto.
To be fair, I think they did think it through and they structured it such that you don't need the signature of TrustedCoin for the transaction to be valid because you hold 2 keys and the multisig is 2 of 3.

But, if we're only talking about desktop wallets there are plenty of security measures you can take that will mitigate your risk without TrustedCoin.  For example; using only bip39 seeds with your Electrum wallet will prevent someone who accesses your computer from seeing your seed phrase.  If you absent-mindedly walk away from your computer with your wallet open, an attacker would still need your wallet password to sign a transaction.
Agreed. I suppose using HW wallets would mitigate this risk completely in the first place. And with hot wallets, a password would be sufficient. Does other kinds of seed phrase allow a third party to see the seeds?
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
December 13, 2020, 10:56:50 AM
#2
Does the 2FA in Electrum provide a false sense of security to the user or is there an actual use case that would justify the fees that TrustedCoin receives for their service?

I'm not a fan.  The idea of trusting a third party to sign my transactions seems to go against everything I've learned about crypto.

The fees alone are enough reason to consider other options.  I don't remember what TrustedCoin charges, but if you use your wallet a lot the fees might add up to the cost of a Ledger Nano or another affordable hardware wallet.

But, if we're only talking about desktop wallets there are plenty of security measures you can take that will mitigate your risk without TrustedCoin.  For example; using only bip39 seeds with your Electrum wallet will prevent someone who accesses your computer from seeing your seed phrase.  If you absent-mindedly walk away from your computer with your wallet open, an attacker would still need your wallet password to sign a transaction.

I agree that TrustedCoin would only help if your passwords get compromised after setting up the wallet. 
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
December 13, 2020, 10:37:42 AM
#1
This is not a topic about how to do 2FA, how it works etc etc. I'm talking about the efficacy of 2FA with TrustedCoin in preventing users' funds from getting compromised by a malicious party.

As a starter, 2FA by TrustedCoin incurs extra fees through both the larger TX size as well as their fees to be charged for the transactions signed by them. The benefits of TrustedCoin, however isn't exactly clear. On one hand, it would prevent attacks if the attacker is in control of the system for short periods of time and if the attacker doesn't install malware on it's computer. If the computer gets compromised by malware, the OTP that could be captured can be used to get TrustedCoin to sign an alternate transaction. It seems feasible in theory but I've yet to see anyone done it.

In addition, if the malware existed since the creation of the wallet, the 2FA would be totally useless. Does the 2FA in Electrum provide a false sense of security to the user or is there an actual use case that would justify the fees that TrustedCoin receives for their service?


Just some thoughts since Electrum's docs specifically mentions
Quote
adding another level of security in the event of your computer being compromised
. And a lot of newbies has been using 2FA and having quite some trouble with it as well.
Jump to: