In regards to phishing it could help simply because you would need 2 instances of the wallet on 2 devices to be in sync with each other - even if the user is phished on one (let’s say he/she installed a fake app), he/she would need an authentication code from another. That should mitigate the “scammability”.
There has been reports from people that they have lost ADA even though they didn’t use a fake app nor they gave any sensitive data to others which could suggest malware stealing data.
Anyway even if such solution doesn’t help much I see no harm in implementing it. At least some people would feel safer even if it’s partially due to placebo effect. I know I would
Umm nope (technically that makes no sense, sorry) , but thats were the misunderstanding is. If the user is made to believe that he is to make an outgoing transaction intentionally, he would use all means necessary to verify the transaction. This does not mitigate in any way.
About fake app, they literally entered the seed,which is a confidential data (they would have entered verification code from second device too, since the app seemed genuine to them).
Anyways, will end my part here, as I understand you strongly feel there is a need of some centralised device for verification, agreed to disagree
Anyways, will end my part here, as I understand you strongle feel there is a need of some centralised device, agreed to disagree
Sure
I don’t know why it doesn’t make sense to you. The concept is pretty simple. Installing a fake app won’t work because it would need an authentication from the real one - which it will not receive since it’s not a part of the same network.
Sorry, but @rdlrt is right here, this is technically impossible in a decentralised blockchain system. Any 2FA is only possible to implement on the wallet level, not in the blockchain itself, so 2FA for a wallet only works in this particular wallet and only because its developers are specifically created the code that prohibits you from sending anything until it is confirmed by second verification. It will NOT work with a fake wallet, because the developers of this fake wallet do not put this special code in, and all they really need to do is to get your secret words. ANYONE with your secret words has full access to your wallet and all funds, no 2FA can stop this. 2FA only valuable when you have right wallet and you can be secure from someone getting access to it and also stealing your password.
To solve this in the way you are describing we need multisig, not 2FA. This is the mechanism that will require multiple wallets to sign the same transaction to move any funds. Then it might really prohibit fake wallets to withdraw any funds, BUT it will also not work if people are not careful enough and they can go to their second wallet and confirm the fake transaction created by fake wallet. The only real solution for this problem is to teach people to be EXTRA careful with their own money, and always try and maximally verify any information and any programs.
Anyways, the multisig is actually in plans and IS getting developed for Cardano, so some day it will work exactly as you describe it, it’s just not that easy as it might sound from outside. And it has nothing to do with 2FA, which only would work if Cardano were a single-server closed system, like an internet-bank. But it isn’t. Hope it helps )
To solve this in the way you are describing we need multisig , not 2FA. This is the mechanism that will require multiple wallets to sign the same transaction to move any funds.
@vantuz-subhuman Actually this is what I was talking about. I wasn’t referring to the blockchain solution, just the wallet one. I’m also open to centralized solutions if anyone opts for such. There should be an option. I’m certain many people would be willing to sacrifice a bit of decentralization in order to feel more secure. I’m aware decentralization is the biggest upside of cryptocurrency for many, but I don’t think most regular folks care about that.
Anyways, the multisig is actually in plans and IS getting developed for Cardano, so some day it will work exactly as you describe it, it’s just not that easy as it might sound from outside.
This is why @rdlrt is right…When you install a fake app you don’t know it is fake! So you are keen to trust the app as real, hence you provide all confidential information requested by the fake app.
Adding a second level of security does not bring anything more than providing an extra pin code to the fake app.
@alefrenz I don’t think you understand. You’ll be able to instantly verify if it’s fake upon installation. Both wallets - PC and mobile would need to be part of the same network. If one is fake, you won’t be able to sync them.
As vantuz-subhuman pointed out, they are already working on such solution, so it does work and will bring extra level of security:
I think you don’t understand the multi signature concept!
It won’t prevent you to trust the wrong vendor, fake app or whatever you want to call it! In that case you will get ripped off even after several confirmations on the same network.
Having said that I don’t fear for my funds since I’m keeping them very secured.
No. You’re repeating the same argument again and I’ve explained how the risk can be mitigated. For instance if my solution is implemented then if you download a PC version of a Daedalus wallet from the daedaluswallet.io you’ll need a corresponding app for your phone from the same provider otherwise the wallets won’t communicate. We have a similar example in banking system - when you make a transaction via internet, bank sends you an sms with transaction details and the code you need to input to verify the transaction. This means for a scam to be successful user would have to download a fake wallet from the same scammer on both devices. Most cases of scams are when a user downloaded a fake app for the mobile while he/she had a proper wallet from Daedalus website on the PC. My solution would prevent such occurrences.
Besides my argument was not referring to such scams rather than to the issue of securing people from hacks or exposing some of their sensitive data. Such solution would prevent that as the hacker would have to gain access to both PC and mobile to perform any transactions which is substantially harder than gaining access to just one.
You can’t have something like that in a decentralized network. There is no party that would send you such verification SMS or other means of second factor authentication without having a central database.
What you can have, as described above, is multi-sig. Other option is hardware wallet where your private keys are stored elsewhere and you confirm the transaction on the device which hosts your private key.
But with recovery phase, it is different. Once you lose the recovery phrase or it gets stolen - you are screwed and there is nothing to be done about that. Because the recovery phrase represents your FULL private key.
Perhaps, you can store half of the key on one device and the second half elsewhere and somehow combine these two devices? Not sure how that would work but it would still require the user not to give away the full recovery phrase to some phishing app…
As I’ve previously stated, centralized solutions should also be an option for people who value security over decentralization. SMS verification was just an example to illustrate the concept. You can have a decentralized solution through wallet entanglement. Two instances of the wallet verify each others genuineness then synchronize with each other and upon performing a transaction exchange randomly generated verification codes.
I don’t think thats technically doable. If you want a centralized solution, you can store your passphrase or private key with some central entity (bank?) and somehow persuade wallet developers to integrate with this central entity - which goes against everything Cardano is supposed to do.
Synchronizing two wallets, the way you describe it, in decentralized network is impossible by definition.
Possible solution that would probably meet your requirements is host you wallet online with some 3rd party which would provide centralized access to it with features like 2FA. On the other hand, why would someone want that? Not your private keys = not your money (the 3rd party central entity would hold your keys and you would have to rely on them same way as if you stored your funds on an exchange… and we all know what sorts of trouble can this get you into).
Whenever I hear something is not doable or impossible it makes me cringe a bit. I’m by no means an expert in blockchain and cryptocurrency but as the history shows every technical problem can be solved. Double spending was also an issue until Bitcoin appeared.
There are multiple ways to solve security problems, some require more centralized solutions, some don’t. The fact is if Cardano is to be widely adopted it will need another layer of semi-centralization in some areas. You don’t need to reveal your private keys to 3rd party. In this case all you’d need would be a 3rd party to verify with you if the transaction is valid (performed by you, not a thief).
As I’ve said, there are multiple different solutions for security issues. Time will tell which of them pass the test. However I can tell you that if we are left with status quo, Cardano has a very slim chance of success.
Well, not sure if you understand how Cardano works. But as I pointed out, such solution can be done by hosting wallet with some 3rd party. You can have a bank hosting your private key and doing all the security for you. In that case, its pretty much the same solution as the current banking system = you don’t need crypto for that.
I think you don’t understand my points at all. You don’t need 3rd party to host your wallet. As for current banking system - there are some advantages to crypto that fiat is devoid of.
Nevermind that. You’ll see in the future institutions or cryptocurrencies successfully implement solutions I was talking about. Market and customers will determine winners.
Andreas Antonopoulos once showed that you should NOT split up your recovery phrase because it makes everything much much much more insecure. I’m not sure but maybe it was here.
Just today I received a message that the Bison App of Börse Stuttgart is out now which does exactly that (here in German). That may be a very good entry for new and unexperienced people to cross the line to crypto. But in the end I agree with “Your keys, your money. Not your keys, not your money”.
Thanks for the info. Unfortunately my knowledge of German is too limited. I believe you’re right and it might be easier for regular people to start their crypto experience and ultimately grow to become something bigger. I think the biggest issue is that there are no institutions with established trust. Basically everything can be a scam at this point. Hopefully we will see some positive development soon.
Well, Börse Stuttgart IS an institution. It’s there since 1861!!! They are much smaller than the main German stock exchange in Frankfurt but quite open to new possibilities to earn money, like derivatives. And they were working for quite a long time at the Bison App. I think it should be fine.
I will not use it because I’m a PoW-Minimalist and right now they start with only four PoW coins. I’m not sure how much spread there is and I don’t need someone else to store my coins for me. But nevertheless I think that this is a great thing for mass adoption.
