Topic: Less private but perhaps secure HOT wallet - page 2. (Read 558 times)

Right, but when it comes to wallets, and basically being responsible for your own money. It's only recommendable to do your upmost when it comes to securing your funds, and therefore half arsing a two factor authentication (2FA) doesn't really cut it. Every security practice you can put into place has a downside, however it completely depends on your threat model what you deem acceptable risk, and what you don't deem acceptable risk. Personally, a lot of the traditional two factor authentications are half arsed, and wouldn't cut it for me.

I'd say that weak 2FA is only acceptable if A) you know the risks, and accept them B) It's a temporary measure until you can implement better security. I'm a firm believer that security shouldn't be compromised on unless the drawbacks are much, much higher than the benefits. For example, security should only be compromised for convenience, however if you compromise too much, you no longer have security. If you don't have enough convenience it's likely to cause you problems, i.e having a key file stored 100 miles away from you, in a field is probably going to cause more harm than good if you need that to access funds.

[This is about 2FA in general, not about 2FA as it pertains to wallets]

I've seen a few posts in this thread (and others) pointing out that 2FA can only do 100% of its job if it's implemented correctly (i.e. uncorrelated factors on fully separate devices). That's true, but I think it's worth pointing out that there are still important security benefits, even when it's done "wrong" (i.e. both factors, like your password manager and authenticator app, on a single device).

Like witcher_sense said above, just because you can compromise a device in one way, it doesn't necessarily follow that you can compromise it in other ways. Certain kinds of malware may be able to get to your password (keyloggers, clipboard sniffers, etc.) without ever being able to compromise your second factor, even if it's on the same device.

Also, some attack vectors don't rely on compromising your device at all (like phishing), and in those cases 2FA is a game changer, even in its "bad" form.

Full-strength 2FA is laudable and should be the goal, but even weak 2FA is beneficial and worth having.

Correct. Logging into an online service sometimes does require 2FA from the same device, though. For example, logging into Discord from mobile requires me to enter an SMS I'm about to receive. Whoever compromises my phone can access my Discord (assuming they already know my password), so it's 1 factor over all. That's poor security.

2FA should be 2 factors that are not correlated with each other. In my case, it's the SD card (which is used for the SMS) and the password, both of which are known by someone who steals my mobile.

---

---

By the same reasoning, multi-sig is also 2FA. In fact, it's n-FA.

I disagree. With this definition, then any mobile wallet is already using 2FA, since you must first unlock the phone with one PIN/password, and then unlock the wallet app with a second PIN/password. I would not call this two factors, just as I don't call my encrypted wallet files stored on a hard disk which is also encrypted two factors, despite needing two different decryption keys to access the wallets.

2FA isn't just two different passwords. In it's most basic form, it should be something you know (a password or login) and something you have (ideally a hardware key, but more usually a software key in the form of a TOTP from another electronic device, usually a phone). These must be separate or they aren't two factors; they are just a more complex single factor. Of course more passwords and more layers will add security, but it will never be two factors as long as all those layers are on the same device.

If an attacker can both physically access your phone and has been able to hack/crack/steal/observe or otherwise gain knowledge of one password, then it is highly likely your second password is also at high risk of compromise. hence the reason the two factors must be separate or they aren't two factors at all.

Remembers me of the bank model of a couple hundred years back where bank would pay to get you robbed so you use their bank, feels similar enough but with privacy at stake.
I think tiny spendable wallets are way to go, satori chips were inspirative back in the day when they launched, relying on internet is becoming disgusting.

I think we need to draw a line between security that comes with responsibility, and security that comes with irresponsibility.

If you don't want to be responsible for your funds' custody, then you can only achieve very questionable security. For example, shared custody with a third party involves both yours and their risk, but shared. If you don't feel confident with this either, you can hand over your custody to that one third party. That's your best course if you consider yourself very clumsy and uncertain. Perhaps do some search for someone who's reputable enough to handle your funds; don't just pick randomly. You should also make sure both you and the third party acknowledge that it's likely for your device(s) to be compromised, and introduce more reputable third parties (such as email, SMS etc.) each time you make a transaction. 

On the other hand, if you feel you can handle this yourself, and believe you're more capable of managing that money than anyone, then you need to behave securely in another manner. Namely, to take care of your system, verify what's about to be installed, use reputable open-source software, and the like.

Depends. I consider both my computer and my mobile phone secure enough to handle a few satoshis. I consider both of these options much better than a sense of questionable security a third party can provide me.

I personally like to take physical security as serious as I would with encryption or digital security. So, if my device was compromised physically, I'd automatically assume that everything on it is compromised, even though in the majority of cases this wouldn't be the case. However, I like to have contingency plans so if this ever did happen, I'd be able to either wiping it from a distance, change the credentials or move the funds if it's Bitcoin.

Physical security in my opinion is one of the easiest options anyhow. Fingerprints aren't secure absolutely aren't, there's just too many ways of obtaining fingerprints which you might not be aware of at the time. Even with a password plus a fingerprint, I feel like the fingerprint additional step is just trivial rather than adding any meaningful protection. Obviously, it would protect you from distance attacks, but for physical attacks or by someone who's in close proximity of you, it's rather trivial.

At that point, the fingerprint and password scan could just be implemented in the same app, though. I believe some banking apps already offer to use biometrics + password.
That's still not 2 factors, though.

I mean, we're getting into semantics now; sure, there may be cases where someone steals your phone with the wallet software on it and has a copy of your fingerprint, but no idea about the password.
But there are also scenarios where compromising the device means compromising both factors, e.g. if the password is stored in your password manager, which is unlockable with your fingerprint.

I wouldn't bet on users correctly using 2 factors on the same device and instead just enforce the 2FA application to be on a different device than the wallet software.

Compromising one factor doesn't necessarily lead to compromising the other factor, even if both factors rely on a single device. For example, you can duplicate fingerprints and access someone's mobile phone with installed bitcoin wallets, but that doesn't automatically mean that you can guess a password to an authentication application or that you can break the system and extract all sensitive information. Even if you succeeded in extracting this data, it still remains encrypted with the algorithm that will take years to break. Two-factor authentication is about different forms of identification, not necessarily about different types of devices: I can use my fingerprint as a first factor and a strong password as a second factor. Both these factors will be used to create a separate layer of security (specifically, encryption), which means both layers need to be broken for data compromise. Whether these layers are on a single device or on multiple devices doesn't really matter, because it always will depend on who you are trying to protect yourself from. Skilled hackers or intelligence agencies will find a way to hack all your devices, but not all people are being chased by those.

Yes, definitely beneficial in that case, or any case in which the wallet and the 2FA app are on separate devices. As I've said many times before in various threads, the whole point of a 2FA set up is that it is a second factor that is required to authenticate you, your transaction, your account, whatever. If both wallet and 2FA can be compromised by compromising a single device, then it isn't a second factor at all - it is the same factor.

A similar case is when people receive a confirmation email or an email with a code in it to the same email address they have used to register the account in question in the first place. That is not 2FA at all, as if an attacker compromises the email address - a single factor - then they can reset the password and receive any 2FA code.

I think this is far preferable to paying excess fees and sacrificing privacy to use TrustedCoin. Marginally more complicated to set up and use, but worth it for the benefits.

I guess it could still be useful when the hot wallet is installed on a laptop and the phone is used for 2FA. It's unlikely to lose both devices at the same time, right.
Then again, you could also just do regular 2-of-2 multisig.

Do most mobile wallet apps not already do this and require unlocking via a password or PIN (or biometric, but those are notoriously insecure and shouldn't be used)? And most people have some sort of locking mechanism on their phone. So for someone to access your wallet they must first bypass/crack/know your master phone security lock and then bypass/crack/know your wallet security lock as well. Which is why I made my point above - if someone can already do this to access the wallet app, then presumably they can also do it for any 2FA setup using the same device.

This is the right answer. If you would carry x amount of bitcoin in cash in your pocket, then store that in a hot wallet. If you wouldn't, then store it somewhere safer.

We were discussing the possibility of a wallet app that would not let you save the login / password. So every time you wanted to send you would have to enter it. There are a lot of security apps out there that generate an onscreen keyboard that you have to use to enter the information so keyloggers would be pointless.

I don't know if there is a way to do it really securely, but was wondering what everyone else thought.

Personally, I treat my hot wallet like cash. It's risky to carry a lot around, but still nice to have it with you if you need it.

-Dave

This already exists by using Electrum's 2FA via TrustedCoin. However, having both the wallet and the 2FA app on the same device is meaningless, as explained below.

If someone can compromise the wallet on your phone, then they will almost certainly also be able to compromise your login details for a website you access via your phone (which, to be honest, 99% of users would simply save in their browser's built in password manager anyway), or your 2FA app.

I don't see how you can make a hot wallet on a phone any more secure without requiring a second physical device, be that another phone for multi-sig, a hardware wallet, or even a hardware YubiKey or similar for 2FA. Any 2FA using the same phone as the wallet itself, be that a code, a login, a second wallet, receive an email, etc., adds almost zero additional security.

Just more of a thought experiment. Would people be willing to have a nominally more secure hot wallet that is less private?
Starting with: A wallet on your phone or PC is not secure, we all accept that.
Would people want one that has some 2nd form of authentication that could probably be used to identify you, but in the event that the device was compromised not allow funds to be sent.

Kind of like it only sends it's transactions through a certain set of servers, and after you create and transmit the transaction you have to then do a quick login and approve.

Just talking about some things with some people the other day and the subject came up of more secure then hot, but don't want to deal with a hardware wallet / multisig / anything like that.

-Dave