Welcome to the Dash Forum!

Please sign up to discuss the most innovative cryptocurrency!

Feature - 2 Factor Authentication

Discussion in 'Official Announcements' started by eduffield, Dec 8, 2014.

  1. jpr

    jpr Active Member

    Joined:
    May 11, 2014
    Messages:
    493
    Likes Received:
    393
    Trophy Points:
    133
    We should be able to make a copy/screenshot of our 2fa key and keep it safe. If you loose your phone you can just import it to a new phone. That is what I always do with my 2fa keys.
     
    • Like Like x 1
  2. teamer

    teamer Active Member

    Joined:
    Jul 22, 2014
    Messages:
    173
    Likes Received:
    136
    Trophy Points:
    103
    what if you lost access to your f2a ? stolen mobile phone?
    still haven't got the idea on how this is gonna be implemented, but those were my first 2 thoughts
     
  3. teamer

    teamer Active Member

    Joined:
    Jul 22, 2014
    Messages:
    173
    Likes Received:
    136
    Trophy Points:
    103
    Uh so basically, same as storing a private key for a wallet somewhere safe?
     
  4. Dr.Crypto

    Dr.Crypto Member

    Joined:
    Jul 9, 2014
    Messages:
    46
    Likes Received:
    32
    Trophy Points:
    58
    Except you'll most likely not have to use it more than once a year, depending on the frequency with which you change or lose your mobile devices... still more convenient than paper wallets by an order of magnitude.
     
    • Like Like x 1
  5. jpr

    jpr Active Member

    Joined:
    May 11, 2014
    Messages:
    493
    Likes Received:
    393
    Trophy Points:
    133
    If someone steals your 2fa key he cannot do much with it. Unless he steals both, private key and 2fa :) you just double your safety with it.
     
    • Like Like x 1
  6. dazman

    dazman Active Member

    Joined:
    May 14, 2014
    Messages:
    118
    Likes Received:
    139
    Trophy Points:
    93
    That's interesting but I was thinking more along the lines of somebody creating a Trezor like device specifically for Darkcoin, which also includes the other features such as Darksend and iX...

    I'm sure this would be pretty challenging but Darkcoin would certainly be holding all the cards if it become a reality :)
     
  7. fernando

    fernando Powered by Dash
    Dash Core Team Foundation Member Moderator

    Joined:
    May 9, 2014
    Messages:
    1,528
    Likes Received:
    2,056
    Trophy Points:
    283
    Great minds think alike ;)

    In fact, it may not even be so advanced. Armory already has implemented multisigs in the GUI and the involved wallets don't see most of what is happening beneath. Instead of a button with a cryptic 'create multisig' it would be a button with a much friendlier 'link with phone wallet', but the protocol would be the same.
     
  8. darkchild

    darkchild Member

    Joined:
    Sep 20, 2014
    Messages:
    76
    Likes Received:
    193
    Trophy Points:
    73
    Google-backed password-killer crosses major milestone

    Today, the infrastructure behind that gadget is taking a big step forward. It's called FIDO (short for Fast Identification Online), and today the group is releasing the 1.0 version of its open standard. There had been earlier versions, like the one Google's USB key is based on, but this one is more efficient and more stable, providing a cryptographic backing for any service or authenticator device you want to plug in. As a result, life just got a lot easier for anyone who wants to make a phone with a fingerprint reader or an app that requires a fingerprint before it opens up.

    So far there are just a handful of products built on FIDO — but with the new spec, that's about to change. Google's security key was one example, and another was Samsung's fingerprint reader, which could log you directly into the native PayPal app. (Samsung and PayPal were both early FIDO members.) But the company anticipates a flood of new phones and authenticator widgets now that the spec is complete. The iPhone's TouchID sensor will also work with the new spec, thanks to some clever coding by a software company called Nok Nok, which has built a program adapting Apple's now-open API to the FIDO protocols.

    http://www.theverge.com/2014/12/9/7359535/google-backed-password-killer-crosses-major-milestone
     
    • Like Like x 1
  9. dutchn0mad

    dutchn0mad Active Member
    Foundation Member

    Joined:
    Dec 9, 2014
    Messages:
    20
    Likes Received:
    22
    Trophy Points:
    103
    Am trying to understand the proposal: We have Darkcoin, a decentralized currency, and proposal is to hook this up to a certain kind of centralized 2FA solution? Or is the proposal to build this feature into Darkcoin itself? If hooking up to a centralized 2FA solution, what does this do with anonymity? What if some party shuts down the centralized 2FA solution, we cannot transact using DRK anymore?
     
    • Like Like x 1
  10. jpr

    jpr Active Member

    Joined:
    May 11, 2014
    Messages:
    493
    Likes Received:
    393
    Trophy Points:
    133
    I think this is going to be built into darkcoin protocol. No centralization here :)
     
    • Like Like x 1
  11. dutchn0mad

    dutchn0mad Active Member
    Foundation Member

    Joined:
    Dec 9, 2014
    Messages:
    20
    Likes Received:
    22
    Trophy Points:
    103
    I got triggered by the last line of Evans proposal, it read to me like some external service will be used:

    More research must be done to find a compatible 2FA API. There are many services to choose from and we'll evaluate each to find the best match.

    What is meant here? Fork an existing solution into Darkcoin?
     
  12. strix

    strix Well-known Member
    Foundation Member

    Joined:
    Sep 14, 2014
    Messages:
    140
    Likes Received:
    121
    Trophy Points:
    193
    As Darkchild mentioned a bit ago, FIDO seems to hold promise. I have really appreciated my Yubikey, and the freedom it gives me to walk into an Internet cafe and not have to worry about my passwords being sniffed. On the other hand, it is something of a concern that their servers must be operational to authenticate my device, even though they cannot see my interactions. It looks like FIDO avoids that problem, though I will need to understand it better to be convinced.
    I suspect that the master node network would be capable of serving the same service using FIDO and this device: https://www.yubico.com/products/yubikey-hardware/fido-u2f-security-key/

    As FIDO is an open standard, I suspect its implementation would be almost trivial for someone who knew what they were doing, and that any number of similar devices will be available.
     
    • Like Like x 1
  13. strix

    strix Well-known Member
    Foundation Member

    Joined:
    Sep 14, 2014
    Messages:
    140
    Likes Received:
    121
    Trophy Points:
    193
    After watching this video it seems quite feasible (in an abstract, not knowing what I am talking about way) that the "browser" could be replaced by a wallet, and the "website" with a masternode. What do you all think?

    https://www.duosecurity.com/u2f

    Edit: This site answers my questions to my satisfaction. Looks very promising.
    https://fidoalliance.org/specifications
     
    #43 strix, Dec 9, 2014
    Last edited by a moderator: Dec 9, 2014
    • Like Like x 1
  14. MaxFangX

    MaxFangX Active Member
    Foundation Member

    Joined:
    Jun 30, 2014
    Messages:
    26
    Likes Received:
    10
    Trophy Points:
    103
    Just saw this. I'm a little amused that this was posted 3 days after I lost everything in my own Darkcoin wallet - I wonder if I was any part of that xD

    Fantastic work Evan. If you pull this off... I can't imagine how game-changing that would be.
     
  15. r-ando

    r-ando Well-known Member
    Foundation Member

    Joined:
    Jun 22, 2014
    Messages:
    413
    Likes Received:
    250
    Trophy Points:
    233
    ''would''…. When… :)

    Sorry to hear about your DRK, if you don't mind the question did your password get compromised or did you not have backups and your computer data got corrupted? I hope you managed to recuperate your coin.
     
  16. B-AZ

    B-AZ New Member

    Joined:
    Dec 2, 2014
    Messages:
    9
    Likes Received:
    8
    Trophy Points:
    3
    It's the most simple and obvious ideas that always seem the smartest. You'd think that would make it easy to come up with them!
    If I understand it right, this would/could act as a sort of Darkcoin savings account, or maybe more of a vault (Dark Vault? Sounds like a SyFy Original), and I'm really all for that idea, even if the idea is only in my head due to a misconception.
     
  17. maky

    maky Member

    Joined:
    Nov 14, 2014
    Messages:
    69
    Likes Received:
    30
    Trophy Points:
    58
    I do not think that this method (fido) is good. We need something like a second key with whom we sign transaction.
    Let me explain how it should look like (IMHO):
    - in wallet I make a transaction
    - on the screen I can see 2D code for this transaction
    - I scan this with my phone camera with speciall app
    - app sign transactions with second private key
    - on the phone screen I can see 2D code
    - with my notebook camera and wallet app I scan this
    - all is propagated to DRK network
    No central servers or other stuff.
     
    • Like Like x 2
  18. MaxFangX

    MaxFangX Active Member
    Foundation Member

    Joined:
    Jun 30, 2014
    Messages:
    26
    Likes Received:
    10
    Trophy Points:
    103
    I was stupid and didn't set a password. I now know for sure that I was hit by some software threat because my lost coins recently moved. I talked about it in this thread.
     
  19. r-ando

    r-ando Well-known Member
    Foundation Member

    Joined:
    Jun 22, 2014
    Messages:
    413
    Likes Received:
    250
    Trophy Points:
    233
    Thanks for explaining and sorry to hear that! You definitely need a password and then you have to watch out for software that copies your password so you should maintain a good security level overall… I also had a hack attempt many months back.. I hope you got yourself some nice new fresh DRK and that you are ready to make your money back many times fold :)
     
    • Like Like x 2
  20. Dr.Crypto

    Dr.Crypto Member

    Joined:
    Jul 9, 2014
    Messages:
    46
    Likes Received:
    32
    Trophy Points:
    58
    • Like Like x 3
  21. HammerHedd

    HammerHedd Member

    Joined:
    Mar 10, 2014
    Messages:
    182
    Likes Received:
    34
    Trophy Points:
    88
    Actually, you can configure a yubikey to generate a one time password (OTP) in a similar process to google authenticator. I'm currently playing with the yubikey, and while I won't say it is the perfect solution, I think the idea of having the option of adding 2FA should be based on something like the yubikey or Authenticator.

    Simply logging in to your wallet and having that login be verified by a third party server creates a time signature that could then be matched to any transactions you make. although Darksend mitigates this to an extent, if I know you logged on to your wallet at 0711 UTC and then I see a bunch of darksend transactions for the next 4 minutes, I can make an assumption that one of those is yours. Instead of trying to sort out darksend transaction, I can then look at transactions to known entities, like exchanges, and see if any of those match.
    This is all highly theoretical, but why create a potential vulnerability?

    IMHO the 2FA should be something you ACTUALLY have, not something a third party has. And as always, I'm a huge advocate of flexibility in enabling users to manage their own anonymity as much as possible.
     
    • Like Like x 1
  22. strix

    strix Well-known Member
    Foundation Member

    Joined:
    Sep 14, 2014
    Messages:
    140
    Likes Received:
    121
    Trophy Points:
    193
    I whole-heartedly agree, HammerHedd! The "something you know-something you have" model of security is the way to go (IMHO).

    I too appreciate the OTP approach that yubikey has implemented, and like you, have some doubts about its direct implementation into DRK. In addition to the potential of timing as an attack vector, I am also concerned that Yubico's OTP implementation seems to require the registration of a particular device in generating the OTP. While I don't understand it fully, I suspect that this would allow the linking of a users accounts, even though third party access to those accounts would be impossible. In other words, If I use my yubikey to access my Gmail acct, and the same device with another key for DRK, the two accts could be identified as having the same owner, even though the transactions themselves would remain secure.

    My reading of the FIDO standard makes me think this would NOT be the case with it, but I would want that confirmed by others more knowledgeable than I. I would like to think that an implementation of FIDO in which the wallet requires the password to be opened, followed by entry of an OTP confirmed by the MasterNode network prior to broadcasting a transaction, would be both secure and feasible. I would also hope that the FIDO standard would allow the printing of OTPs for emergency backup (as implemented in the yubikey) would also be possible.

    While droning on I would also add that I can envision a system in which miners must register with the MasterNode network in a similar manner prior to block acceptance, and that this mechanism could be leveraged to provide protection from the 51% pool dominance that so many of us are concerned about.
     
    • Like Like x 2
  23. freynder

    freynder New Member

    Joined:
    Dec 5, 2014
    Messages:
    30
    Likes Received:
    63
    Trophy Points:
    18
    • Like Like x 3
  24. fernando

    fernando Powered by Dash
    Dash Core Team Foundation Member Moderator

    Joined:
    May 9, 2014
    Messages:
    1,528
    Likes Received:
    2,056
    Trophy Points:
    283
  25. strix

    strix Well-known Member
    Foundation Member

    Joined:
    Sep 14, 2014
    Messages:
    140
    Likes Received:
    121
    Trophy Points:
    193
    I just read the abstract, and this does look good. However, I hope that any implementation we make of 2FA for DRK will not be dependent on using a cell phone, as I suspect this would clearly identify the cell owner as a DRK user. At this point, in most jurisdictions, this is not a problem, but I have not yet read next month's newspaper.

    The risk would be mitigated once the MN's identities/IPs were obscured; provided they sent the 2FA code in a secure manner. Whatever method is ultimately chosen, I hope it will use FIDO in order to be able to use a Yubikey-like fob.
     
  26. tungfa

    tungfa Administrator
    Dash Core Team Foundation Member Masternode Owner/Operator Moderator

    Joined:
    Apr 9, 2014
    Messages:
    8,870
    Likes Received:
    6,706
    Trophy Points:
    1,283
    • Like Like x 1
  27. jimbit

    jimbit Well-known Member
    Foundation Member

    Joined:
    May 23, 2014
    Messages:
    226
    Likes Received:
    103
    Trophy Points:
    203
    Not to throw cold water on the 2Fa discussion.. but shouldn't we implement instantX first?

    I thought since Evan had a POC already working for instantX that implementation on testnet was imminent.
     
  28. moli

    moli Grizzled Member

    Joined:
    Aug 5, 2014
    Messages:
    3,262
    Likes Received:
    1,837
    Trophy Points:
    1,183
    I think InstantX is probably going to be next for testing. This announcement about 2Fa was like weeks ago, the news just now caught up with it.
     
    • Like Like x 1
  29. pbleak

    pbleak Active Member

    Joined:
    May 15, 2014
    Messages:
    399
    Likes Received:
    172
    Trophy Points:
    113
    2fa is all good, but do keep in mind those who do not use google or apple and may need other options. So many sites assume authy, etc. as standard 2fa.
     
  30. crowning

    crowning Well-known Member

    Joined:
    May 29, 2014
    Messages:
    1,428
    Likes Received:
    2,005
    Trophy Points:
    183
    That would be me.

    I want an API for 2FA and do my own stuff from there.
     
    • Like Like x 2

Share This Page