Blockchain.info wallet encryption

[IveBeenBit]

Though I'm not a newbie, this question is sort of basic, so here it is.

I have some bitcoins at blockchain.info. I have the site email me my wallet backup any time that I generate a new address there. To my understanding, these backups are sent to me AES encrypted and the encryption key is the same as my password for logging into blockchain.info, right?

I also have 2FA set up at blockchain.info with Google Authenticator.

Now if the idea behind 2FA is that just a password is not enough security, it seems that having backups emailed to me partially defeats the purpose of 2FA in the first place, since the 2FA will do nothing for someone that may intercept a copy of the encrypted wallet file.

Am I wrong about any of this?

[hamdi]

i am not sure how 2fa auth on the wallet file can be done offline...

[Stephen Gornick]

Now if the idea behind 2FA is that just a password is not enough security, it seems that having backups emailed to me partially defeats the purpose of 2FA in the first place, since the 2FA will do nothing for someone that may intercept a copy of the encrypted wallet file.

Correct.  The 2FA is to protect against a replay attack using your password to access the Blockchain.info website.  It does not protect the backups.

Someone with your blockchain.info/wallet password and access to the encrypted wallet file can decrypt the file and spend your funds.  [Edit: If you have your account configured with a second password for withdrawals, then that password is required as well in order to decrypt and spend the funds.]

[Maged]

Now if the idea behind 2FA is that just a password is not enough security, it seems that having backups emailed to me partially defeats the purpose of 2FA in the first place, since the 2FA will do nothing for someone that may intercept a copy of the encrypted wallet file.

Well, if you assume that the email isn't intercepted in-transit (which is a safe assumption for the vast majority of attackers), then the emailed backup is protected by your Blockchain.info password plus whatever security mechanisms you have to use to access the email account. For example, you could also protect the email account that the backups are sent to with 2FA.

[Stephen Gornick]

Well, if you assume that the email isn't intercepted in-transit (which is a safe assumption for the vast majority of attackers), then the emailed backup is protected by your Blockchain.info password

I forgot the condition where you have your account configured with a second password for withdrawals, then the backup is protected with that password as well.   If the attacker obtained the wallet password by malware that does keylogging, then the attacker probably has the second password as well though.