Two Factor Authentication

Hello, Waves Community! I’d like to discuss some thoughts on the different ways to implement 2FA (Two Factor Authentication) for the Waves platform. We have lots of ideas about how to develop this feature, and I want to know your opinions about this important step.

Before I give you a few details about each of the different approaches, I want to explain the difference between the login processes in centralized and decentralized applications. If you already know this, skip to the section “2FA with the Waves Mobile App”.

INTRODUCTION

In centralized platforms, an individual gains access to an application by authenticating themselves using their username or email address, with a password.

F1

After logging in, the user has full control and can carry out any transaction.

F2

Decentralized applications do not store any user login data. Anybody can see all the information on the blockchain.

F3

When a user submits a transaction, he signs it with his private key and the blockchain validates it. Everything works through cryptography.

F4

Centralized apps are like a house where the door is locked and when you open the lock, you can take out anything you want. Decentralized apps are like a house where there is no door, but you can take out only your own possessions.

Thus, in applications based on the blockchain, it is possible to protect either the SEED itself (hardware wallets already do this), or to protect a transaction - to add one more condition for its validity. That is, to convert the account into a multi-sig account, which is the essence of 2FA for decentralized applications.

Below I will describe various ways to approach this problem.

2FA WITH THE WAVES MOBILE APP

This method assumes that the account will be converted to a double-signature account. That is, to send the transaction it must be signed with two private keys. Both SEEDs are stored by the user. Either one is stored locally on the computer, and the second on a mobile phone, or both are stored on the mobile phone (but stored separately, and encoded by different passwords).

This method can be developed either with the current Waves mobile application or a with a new, separate one.

2FA set up

L5

Create transaction

One of the ideas for how the different devices can be connected via the blockchain is the following:

If the user wants to send some tokens from his Desktop or Web Client, he fills in a Send form as usual, but a Data transaction is sent to the blockchain instead a Transfer transaction. This Data transaction contains all the information from the Send form.

F6

The Waves Mobile app will get this Data transaction from the blockchain and will display a window to confirm the transfer. If the user confirms it, the transfer transaction will be signed twice, with the main and 2fa SEEDs, and will be sent to the blockchain.

Pros and cons

This method is pretty good because it’s decentralized, but users must pay an additional fee per Data transaction. Both SEEDs can be stored in one device.

2FA WITH GOOGLE AUTHENTICATOR

The basis of this method is that it does not store both SEEDs on the same device, in contrast to the previous way. But it requires some degree of centralization.

This method assumes that the account will be converted to a triple-signature account. Two SEEDs are stored by the user: one is stored locally with the second as backup (to be used only in a critical situation to reset 2FA), with the third one created and held on a server, encrypted by a server key and stored in a centralized database. The user never receives this SEED, and it is used only to sign transactions.

The user must download and set up Google Authenticator, using a secret key. The secret key has to be communicated to the server too.

2FA set up

F7

Create transaction

Every time the user wants to send a transaction, he signs it with his main private key and enters a one-time code from Google Authenticator. This code is sent to the server and if it is valid, the server signs the transaction too.

Pros and cons

This method is good because SEEDs are not stored in one device and Google Authenticator is popular among users. However, it needs a centralized database and it does not work in the case when a transaction has been replaced with fraudulent data.

2FA WITH TELEGRAM

This method is the same as the previous one in its architecture, but in place of Google Authenticator, the user employs his Telegram account.

Pros and cons

2FA with Telegram is better than 2FA with Google Authenticator in cases where transaction data has been replaced with fraudulent content, since a Telegram bot will show the transaction details. However, Telegram does not work stably in some countries.

COMPARISON

%D0%B010

CONCLUSION

All methods have their pros and cons. What do you think about each of them? Maybe you have a good idea of your own, in which case feel free to write it in the comments.

What way is most convenient for you?

  • The Current Waves Mobile app
  • A new Waves Mobile app (Waves Authenticator)
  • Google Authenticator
  • Telegram

0 voters

5 Likes

Just to be clear I vote for the new app just because the current mobile app is outdated. If you lounch a new wallet app for Android I would be happy to use it as 2FA

I mean the current mobile app after update

1 Like

Keep decentralization, use the mobile wallet is the best option

1 Like

I voted google authenticator
But i want multiple options 2fa.

google authenticator or mobile wallets authentication and more

Hi all,

i would tend to vote for option 2, it is widely used for other cryptos already, so i would assume that (new) users know how to work with it. Explaining to them why they have to securely keep two seeds now would probably be more difficult.

The first approach does not feel very secure to me. The user has to keep two seed secure, where is the big difference from keeping one secure? Furthermore, in case i loose one seed, can i restore it (would be possible with option 2).

Cheers
Marc

1 Like

Go for Google Auth. It’s used a lot and you can always opt to add several options for 2FA later

1 Like

We should consider looking at Hydrogen Platform 2FA over google authenticator. They offer a decentralized 2FA that is more secured compared to google authenticator. Also could give us more visibility since it is a blockchain products and their community could through that consider checking waves and joining us which is a win win.

this could be helpful in understanding my stand above

1 Like

I wonder what happens in case the smartphone breaks or gets stolen :thinking:

And I don’t know the difference between the current Waves Mobile app and the new Waves Authenticator.

Based on this, I would say Google Authenticator.

The only cons of decentralised 2fa i have seen is a 8/5 time highest fee. But for miners it is a pros. Anyway centralised 2fa is not what I expected, especially telegram with its collisions with censorship.

In the case, you lost a phone nothing happens. You have backup a both of SEEDs. You will set up your Mobile app again.

According to that i would suppose that you never used google 2fa. You still have both seeds backuped in the safe place.

I was not referring to google 2fa but waves mobile app, that I don’t use. I prefer desktop client.

yep agree:+1: everybody has heard of it and trusts it, and knows how to use it already

If you can make it time based (set up a second key : for a month - 3 month - year etc.) would be great imo. After this time period, 2fa should be disabled auto.

2 Likes

I really like this idea :+1:

Yes, of course. It’s easy

So no need to use centralized 2fa applications. One more, you can allow ppl to open web and desktop wallet directly with 2fa pass. Ppl who will miss their phone should be able connect to their wallet anywhere. I mean popup ok. But there should be one more option to use 2fa pass in desktop or web client directly. Additionally- do you have any idea about 2fa generator with blocks signtures or something like that. Instead of let ppl describe 2fa pass, you can build a 2fa pass generator.

this, and easy to learn for non tech people. With the “Blockchain for the people” in mind, I believe this is the coolest (maybe not the safest) option.

Exactly… 2FA is still not urgent required