thoughts on Bitgo - the most secure wallet 3-fa

[mskryxz]

Basically it uses 3 private keys.
1 online say like codebase
Your password or on your computer
And a 3rd that you can print out or store offline

You only need 2 to make a transaction

But if coinbase gets hacked, the hacker would need your key so it makes it impossible

Even if they hacked your computer, then they'd need the offline key or codebase key

I suck at explaining it but just go here

https://www.bitgo.com/p2sh_safe_address

[1715071272]

1715071272

[1715071272]

1715071272

[1715071272]

1715071272

[empoweoqwj]

Get it independently audited by a security expert, and publish the report

I mean that in all seriousness. Every one claims their wallet is super-secure, history proves otherwise in many cases ...

[mbelshe]

Get it independently audited by a security expert, and publish the report

I mean that in all seriousness. Every one claims their wallet is super-secure, history proves otherwise in many cases ...

This is excellent advice :-)

I'm the creator of BitGo, so I know I am biased.  For what it is worth, we've already done a full external security audit (expensive!) of the software both client and server side.  The operational engineering that has gone into BitGo is also atypical and has been designed from the ground up for bitcoin security.  We'll be doing another audit in the not-too-distant future.  Peer reviews and security reviews are absolutely essential.

I would never be so foolish as to claim that anything is impervious.  But the concepts that we've pioneered in the BitGo architecture have held up to scrutiny so far.  Hopefully these concepts are just a better starting point for anyone building a new wallet going forward.

We love feedback, we know we're not perfect, and we will take seriously any potential exploits or vulnerabilities.  Don't hesitate to reach out to me personally if you have any issues.

Mike Belshe
---
CTO & CoFounder, BitGo, Inc
mike@belshe.com
mike@bitgo.com

[guybrushthreepwood]

This is an online wallet?

[CoinPurse]

Get it independently audited by a security expert, and publish the report

I mean that in all seriousness. Every one claims their wallet is super-secure, history proves otherwise in many cases ...

This is excellent advice :-)

I'm the creator of BitGo, so I know I am biased.  For what it is worth, we've already done a full external security audit (expensive!) of the software both client and server side.  The operational engineering that has gone into BitGo is also atypical and has been designed from the ground up for bitcoin security.  We'll be doing another audit in the not-too-distant future.  Peer reviews and security reviews are absolutely essential.

I would never be so foolish as to claim that anything is impervious.  But the concepts that we've pioneered in the BitGo architecture have held up to scrutiny so far.  Hopefully these concepts are just a better starting point for anyone building a new wallet going forward.

We love feedback, we know we're not perfect, and we will take seriously any potential exploits or vulnerabilities.  Don't hesitate to reach out to me personally if you have any issues.

Mike Belshe
---
CTO & CoFounder, BitGo, Inc
mike@belshe.com
mike@bitgo.com

A 2 of 3 wallet is an excellent idea! Kudos Mike! I would suggest using crowd spring or some other design service to spruce up the design and stock images on BitGo. Other than that the theory looks quite sound.

[empoweoqwj]

Get it independently audited by a security expert, and publish the report

I mean that in all seriousness. Every one claims their wallet is super-secure, history proves otherwise in many cases ...

This is excellent advice :-)

I'm the creator of BitGo, so I know I am biased.  For what it is worth, we've already done a full external security audit (expensive!) of the software both client and server side.  The operational engineering that has gone into BitGo is also atypical and has been designed from the ground up for bitcoin security.  We'll be doing another audit in the not-too-distant future.  Peer reviews and security reviews are absolutely essential.

I would never be so foolish as to claim that anything is impervious.  But the concepts that we've pioneered in the BitGo architecture have held up to scrutiny so far.  Hopefully these concepts are just a better starting point for anyone building a new wallet going forward.

We love feedback, we know we're not perfect, and we will take seriously any potential exploits or vulnerabilities.  Don't hesitate to reach out to me personally if you have any issues.

Mike Belshe
---
CTO & CoFounder, BitGo, Inc
mike@belshe.com
mike@bitgo.com

That sounds excellent Mike, great response

My only other "advise" is that you should publish any company details about yourself. There are so many "one-man ops" in bitcoinland, some aren't even registered companies. The more you share about yourself, the more trust you engender.

[gweedo]

People are still using web wallets really? Did we not learn from instawallet, inputs.io, and blockchain.info. I see a couple problems with this one. How are they generating the 3 keys? If it isn't client side, it isn't safe. If they are holding on to the 3 keys even indirectly they are not safe. It isn't open source, so there is no way to verify or run this services on my own. Also all web wallets will be consider not safe until they implement trezor support.

So again don't use web wallets none of them are safe unless you are using a trezor or hardware option to sign the transaction.

[hilariousandco]

People are still using web wallets really? Did we not learn from blockchain.info.

What's wrong with blockchain.info?

[empoweoqwj]

People are still using web wallets really? Did we not learn from instawallet, inputs.io, and blockchain.info. I see a couple problems with this one. How are they generating the 3 keys? If it isn't client side, it isn't safe. If they are holding on to the 3 keys even indirectly they are not safe. It isn't open source, so there is no way to verify or run this services on my own. Also all web wallets will be consider not safe until they implement trezor support.

So again don't use web wallets none of them are safe unless you are using a trezor or hardware option to sign the transaction.

Yeah, not being open source is a big turn off.

[bryant.coleman]

I don't get it. Only 2 FA is needed for transactions. So if someone hacks in to an account he can withdraw the coins with just 2 passwords, right?

[LiteCoinGuy]

People are still using web wallets really? Did we not learn from instawallet, inputs.io, and blockchain.info. I see a couple problems with this one. How are they generating the 3 keys? .

yep and there will always people who do this. you could say it every day and still people would store them online.  

i guess someday there will be an online wallet with high security AND insurance over the funds, maybe then you could store them online (but i wouldnt do that).

[gweedo]

I don't get it. Only 2 FA is needed for transactions. So if someone hacks in to an account he can withdraw the coins with just 2 passwords, right?

What about the people who run the service? This is where things like trezor will solve, and 2FA is a just a false sense of security for that attack.

[gweedo]

People are still using web wallets really? Did we not learn from blockchain.info.

What's wrong with blockchain.info?

People still get hacked on blockchain, but they are a lot better than most web wallets, and if they add trezor support like they plan on, they will be the most secure web wallet.

[hilariousandco]

People are still using web wallets really? Did we not learn from blockchain.info.

What's wrong with blockchain.info?

People still get hacked on blockchain, but they are a lot better than most web wallets, and if they add trezor support like they plan on, they will be the most secure web wallet.

I think blockchain.info will probably be safer for a newb who doesn't really know waht they're doing, as long as they set up all the security features; 2 factor auth and a second password etc.

[empoweoqwj]

Same advice as always for me. Keep as little as possible online, and use 2fa. I don't care what security features are promoted with web wallets, most of your coins should be safely offline.

[charleshoskinson]

I'm the creator of BitGo, so I know I am biased.  For what it is worth, we've already done a full external security audit (expensive!) of the software both client and server side.  The operational engineering that has gone into BitGo is also atypical and has been designed from the ground up for bitcoin security.  We'll be doing another audit in the not-too-distant future.  Peer reviews and security reviews are absolutely essential.

Who did your full audit. I am looking for an auditor myself and it would be nice to grab someone who is now familiar with Bitcoin

[buumraw]

is that a new online bitcoin wallet?

[gweedo]

People are still using web wallets really? Did we not learn from blockchain.info.

What's wrong with blockchain.info?

People still get hacked on blockchain, but they are a lot better than most web wallets, and if they add trezor support like they plan on, they will be the most secure web wallet.

I think blockchain.info will probably be safer for a newb who doesn't really know waht they're doing, as long as they set up all the security features; 2 factor auth and a second password etc.

Local clients are better for newbies, but lets be honest we need to teach newbies about all forms of security cause many sites use 2FA they should learn it now. What it is and how it helps from hackers but not backend hackers.

[empoweoqwj]

People are still using web wallets really? Did we not learn from blockchain.info.

What's wrong with blockchain.info?

People still get hacked on blockchain, but they are a lot better than most web wallets, and if they add trezor support like they plan on, they will be the most secure web wallet.

I think blockchain.info will probably be safer for a newb who doesn't really know waht they're doing, as long as they set up all the security features; 2 factor auth and a second password etc.

Local clients are better for newbies, but lets be honest we need to teach newbies about all forms of security cause many sites use 2FA they should learn it now. What it is and how it helps from hackers but not backend hackers.

backend hackers or site owners that just run off with all the coins ......

[gweedo]

People are still using web wallets really? Did we not learn from blockchain.info.

What's wrong with blockchain.info?

People still get hacked on blockchain, but they are a lot better than most web wallets, and if they add trezor support like they plan on, they will be the most secure web wallet.

I think blockchain.info will probably be safer for a newb who doesn't really know waht they're doing, as long as they set up all the security features; 2 factor auth and a second password etc.

Local clients are better for newbies, but lets be honest we need to teach newbies about all forms of security cause many sites use 2FA they should learn it now. What it is and how it helps from hackers but not backend hackers.

backend hackers or site owners that just run off with all the coins ......

I put them in the backend hackers that have access to the machine.