Bitcoin Forum
September 18, 2019, 09:23:18 PM *
News: Latest Bitcoin Core release: 0.18.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: OTP for crypto transactions  (Read 126 times)
pawanjain
Sr. Member
****
Offline Offline

Activity: 994
Merit: 274


★Bitvest.io★ Play Plinko or Invest!


View Profile
September 03, 2019, 02:48:35 PM
 #1

We have seen many people complaining that they had mistakenly sent bitcoins or any cryptocurrency to an address which they didn't want to.
Many times hackers hack other's wallets and steal their cryptocurrencies.

Everybody knows what an OTP is. It adds an extra layer of security in your payments.

What if we developed a wallet and integrated the OTP feature in it which basically when approved broadcasts the transaction on the blockchain ?
In my opinion this would add a layer of security. OTP doesn't need to be centralized and hence it won't break the decentralization part of bitcoin (but obviously a centralized wallet can still break it)



BIG WINNER!
[15.00000000 BTC]


▄████████████████████▄
██████████████████████
██████████▀▀██████████
█████████░░░░█████████
██████████▄▄██████████
███████▀▀████▀▀███████
██████░░░░██░░░░██████
███████▄▄████▄▄███████
████▀▀████▀▀████▀▀████
███░░░░██░░░░██░░░░███
████▄▄████▄▄████▄▄████
██████████████████████
▀████████████████████▀
▄████████████████████▄
██████████████████████
█████▀▀█▀▀▀▀▀▀██▀▀████
█████░░░░░░░░░░░░░▄███
█████░░░░░░░░░░░░▄████
█████░░▄███▄░░░░██████
█████▄▄███▀░░░░▄██████
█████████░░░░░░███████
████████░░░░░░░███████
███████░░░░░░░░███████
███████▄▄▄▄▄▄▄▄███████
██████████████████████
▀████████████████████▀
▄████████████████████▄
███████████████▀▀▀▀▀▀▀
███████████▀▀▄▄█░░░░░█
█████████▀░░█████░░░░█
███████▀░░░░░████▀░░░▀
██████░░░░░░░░▀▄▄█████
█████░▄░░░░░▄██████▀▀█
████░████▄░███████░░░░
███░█████░█████████░░█
███░░░▀█░██████████░░█
███░░░░░░████▀▀██▀░░░░
███░░░░░░███░░░░░░░░░░
▀██░▄▄▄▄░████▄▄██▄░░░░
▄████████████▀▀▀▀▀▀▀██▄
█████████████░█▀▀▀█░███
██████████▀▀░█▀░░░▀█░▀▀
███████▀░▄▄█░█░░░░░█░█▄
████▀░▄▄████░▀█░░░█▀░██
███░▄████▀▀░▄░▀█░█▀░▄░▀
█▀░███▀▀▀░░███░▀█▀░███░
▀░███▀░░░░░████▄░▄████░
░███▀░░░░░░░█████████░░
░███░░░░░░░░░███████░░░
███▀░██░░░░░░▀░▄▄▄░▀░░░
███░██████▄▄░▄█████▄░▄▄
▀██░████████░███████░█▀
▄████████████████████▄
████████▀▀░░░▀▀███████
███▀▀░░░░░▄▄▄░░░░▀▀▀██
██░▀▀▄▄░░░▀▀▀░░░▄▄▀▀██
██░▄▄░░▀▀▄▄░▄▄▀▀░░░░██
██░▀▀░░░░░░█░░░░░██░██
██░░░▄▄░░░░█░██░░░░░██
██░░░▀▀░░░░█░░░░░░░░██
██░░░░░▄▄░░█░░░░░██░██
██▄░░░░▀▀░░█░██░░░░░██
█████▄▄░░░░█░░░░▄▄████
█████████▄▄█▄▄████████
▀████████████████████▀




Rainbot
Daily Quests
Faucet
1568841798
Hero Member
*
Offline Offline

Posts: 1568841798

View Profile Personal Message (Offline)

Ignore
1568841798
Reply with quote  #2

1568841798
Report to moderator
1568841798
Hero Member
*
Offline Offline

Posts: 1568841798

View Profile Personal Message (Offline)

Ignore
1568841798
Reply with quote  #2

1568841798
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1568841798
Hero Member
*
Offline Offline

Posts: 1568841798

View Profile Personal Message (Offline)

Ignore
1568841798
Reply with quote  #2

1568841798
Report to moderator
1568841798
Hero Member
*
Offline Offline

Posts: 1568841798

View Profile Personal Message (Offline)

Ignore
1568841798
Reply with quote  #2

1568841798
Report to moderator
1568841798
Hero Member
*
Offline Offline

Posts: 1568841798

View Profile Personal Message (Offline)

Ignore
1568841798
Reply with quote  #2

1568841798
Report to moderator
ranochigo
Legendary
*
Offline Offline

Activity: 1778
Merit: 1180

Somewhat inactive.


View Profile WWW
September 03, 2019, 03:49:40 PM
Merited by Zedpastin (2), ETFbitcoin (1)
 #2

The mainstream implementation of the OTP system is mainly with SMS based and time based. Since SMS based systems obviously will require a central party, it is out of the equation.

With time based OTP, the secret is shared with the phone which should be kept safe. It wouldn't work if the malware were to be active during the point at which the OTP is activated. In addition, for the server to validate your OTP, they would require the secret key. This means that every node (and thus everyone) would have access to your secret. It wouldn't make sense and it would make the blockchain even more bulky by storing all the data on every node.

The current implementation of 2FA wallets with multisig is the best compromise between security and feasibility.

NeuroticFish
Legendary
*
Offline Offline

Activity: 1974
Merit: 1311


There are no mistakes. Only opportunities wasted.


View Profile
September 03, 2019, 04:00:52 PM
 #3

I've seen OTP via hardware device (which is good, but not useful for your case), SMS (insecure), e-mail (even more insecure), in-mobile-app confirmation/password (not useful since in your case it's probably the same application)...

So no. I don't think that there's a good OTP method OP can use.

ETFbitcoin
Legendary
*
Offline Offline

Activity: 1764
Merit: 2028

Use SegWit and enjoy lower fees.


View Profile WWW
September 03, 2019, 05:19:48 PM
 #4

Electrum already achieve your idea while letting users have full control over their funds and can stop use OTP/2FA anytime.

But as you can guess, it's time-synchronized based on hardware device or your local device.

P.S. while Google Authenticator and Authy usually refereed as 2FA, technically it's also OTP at same time

Coolcryptovator
Copper Member
Hero Member
*****
Offline Offline

Activity: 546
Merit: 800


Self made Hero Member 😎


View Profile WWW
September 03, 2019, 06:39:40 PM
Merited by HeRetiK (1)
 #5

I am wondering how OTP will prevent if you are sending crypto-currency into wrong address. OTP will ensure that fund sending by right person, it will not verify address that you are going to send funds. Address should be verified by yourself even you active OTP or 2FA. If you are wondering about SMS OTP then it will be a centralized system and it would be hacked by get help from operators. Only devices would be safe but its also will be like centralization in my opinion.


P.S. while Google Authenticator and Authy usually refereed as 2FA, technically it's also OTP at same time

Second that.

TalkStar
Copper Member
Sr. Member
****
Offline Offline

Activity: 406
Merit: 297



View Profile
September 04, 2019, 02:49:22 AM
 #6

It wouldn't make sense and it would make the blockchain even more bulky by storing all the data on every node.
Yeah assuming something similar from my side. Implementing 2FA for transaction and users sign in together wouldn't be a good idea.

As we know that some wallet service providers are offering 2FA for users account safety but using it for every single transaction will increase their service cost for sure. Most probably users transaction charges would be higher than previous which is really unexpected for many wallet users.  


          ███████
      ██   ▀███▀   ██
  ▄█▄  ▄▄█████████▄▄  ▄█▄
 ▄███▄██▀▀       ▀▀██▄███▄
 ██▀███    ▄▄█▄█    ███▀██
    ██      █▀▀██    ██
██  ██     █████▀    ██  ██
    ██   ▄▄█▄▄▄██    ██
 ██▄███    █▀█▀▀    ███▄██
 ▀███▀██▄▄       ▄▄██▀███▀
  ▀██  ▀▀█████████▀▀  ██▀
      ██   ▄███▄   ██
          ███████
bspin   ███████████████████████
███████████████████████████
███████████████████████████
███████▀█▀    ▀▀▀██▀███████
███████            ▄███████
███████ ▄██▄▄▄▄▄▀ ▄████████
███ ▀  ▀  ██▀▀   ▄▀  ▀  ███
███▄▄█▀  █▀     █▄▄█▀  ████
█████   █▀       ██   █████
████▄▄▄▄█▄▄▄▄▄▄▄▄█▄▄▄▄█████
███████████████████████████
███████████████████████████
  ███████████████████████
       ▄▄█████████▄▄
    ▄█████████████████▄
  ▄█████████████████████▄
 ▄█████████  █  █████████▄
▄████████        █████████▄
███████████  ██  ██████████
███████████       █████████
███████████  ███  █████████
▀████████        ▄████████▀
 ▀█████████  █  █████████▀
  ▀█████████████████████▀
    ▀█████████████████▀
       ▀▀█████████▀▀
█████
██
██
██
██
██
██
██
██
██
██
██
█████
.
PLAY NOW
█████
██
██
██
██
██
██
██
██
██
██
██
█████
HeRetiK
Legendary
*
Offline Offline

Activity: 1232
Merit: 1118


the forkings will continue until morale improves


View Profile
September 04, 2019, 09:06:11 AM
 #7

I am wondering how OTP will prevent if you are sending crypto-currency into wrong address. OTP will ensure that fund sending by right person, it will not verify address that you are going to send funds.

I also don't see how OTP can mitigate cases where a user sends funds to the wrong address (eg. due to clipboard-malware). The only way I currently see to avoid this problem is to (1) double check the address before pressing send and (2) confirming the address over a secondary device / communication channel (eg. via phone or email). I'm not sure if there's a good solution for automating / integrating this process of recipient confirmation though.

ETFbitcoin
Legendary
*
Offline Offline

Activity: 1764
Merit: 2028

Use SegWit and enjoy lower fees.


View Profile WWW
September 04, 2019, 09:40:09 AM
 #8

The only way I currently see to avoid this problem is to (1) double check the address before pressing send and (2) confirming the address over a secondary device / communication channel (eg. via phone or email).

(3) Use preview feature before sign/broadcast a transaction

If you are wondering about SMS OTP then it will be a centralized system and it would be hacked by get help from operators. Only devices would be safe but its also will be like centralization in my opinion.

And help from customer service/operator also add another attack vector, such as SIM swapping if attacker have your personal information (either because your device has been hacked, your online data is leaked or you share your private life on social media).

pawanjain
Sr. Member
****
Offline Offline

Activity: 994
Merit: 274


★Bitvest.io★ Play Plinko or Invest!


View Profile
September 04, 2019, 02:35:42 PM
 #9

I should have made myself more clear. I am not talking about OTP on SMS based systems since it will obviously lead to centralization.
I was talking about OTP similar to 2FA which as ETFbitcoin said is already implemented in Electrum wallet.

I am wondering how OTP will prevent if you are sending crypto-currency into wrong address. OTP will ensure that fund sending by right person, it will not verify address that you are going to send funds.

I also don't see how OTP can mitigate cases where a user sends funds to the wrong address (eg. due to clipboard-malware). The only way I currently see to avoid this problem is to (1) double check the address before pressing send and (2) confirming the address over a secondary device / communication channel (eg. via phone or email). I'm not sure if there's a good solution for automating / integrating this process of recipient confirmation though.

Obvioulsy the OTP would not autocorrect the addresses but it would give us the time to double check the transaction. Many users don't even cross verify the address and simply broadcast it to the blockchain and later regret.
Adding an OTP won't help us with this but just provide an extra step thus providing an extra time to think before making the transaction.

The mainstream implementation of the OTP system is mainly with SMS based and time based. Since SMS based systems obviously will require a central party, it is out of the equation.

With time based OTP, the secret is shared with the phone which should be kept safe. It wouldn't work if the malware were to be active during the point at which the OTP is activated. In addition, for the server to validate your OTP, they would require the secret key. This means that every node (and thus everyone) would have access to your secret. It wouldn't make sense and it would make the blockchain even more bulky by storing all the data on every node.

The current implementation of 2FA wallets with multisig is the best compromise between security and feasibility.
Yes, implementing OTP directly on to the blockchain would definitely increase the blockchain's size which is why I said that the OTP should somehow be integrated into the wallet and not on the blockchain.
The time based concern is still there and I don't know how we can tackle that.

To be honest, I doubt on my idea of OTP since the verification of OTP would require a server to cross verify the OTPs. We can't implement it over the blockchain since it's absolutely stupid.
And if we implement the verification process on a server then that would break the decentralization part. Damn!

I was just thinking if we could implement 2FA in a wallet and then whenever we broadcast a transaction it would ask for a 2FA/OTP.
This would add a security layer and also give us the time to cross verify/double check our transaction before we broadcast it on the blockchain.



BIG WINNER!
[15.00000000 BTC]


▄████████████████████▄
██████████████████████
██████████▀▀██████████
█████████░░░░█████████
██████████▄▄██████████
███████▀▀████▀▀███████
██████░░░░██░░░░██████
███████▄▄████▄▄███████
████▀▀████▀▀████▀▀████
███░░░░██░░░░██░░░░███
████▄▄████▄▄████▄▄████
██████████████████████
▀████████████████████▀
▄████████████████████▄
██████████████████████
█████▀▀█▀▀▀▀▀▀██▀▀████
█████░░░░░░░░░░░░░▄███
█████░░░░░░░░░░░░▄████
█████░░▄███▄░░░░██████
█████▄▄███▀░░░░▄██████
█████████░░░░░░███████
████████░░░░░░░███████
███████░░░░░░░░███████
███████▄▄▄▄▄▄▄▄███████
██████████████████████
▀████████████████████▀
▄████████████████████▄
███████████████▀▀▀▀▀▀▀
███████████▀▀▄▄█░░░░░█
█████████▀░░█████░░░░█
███████▀░░░░░████▀░░░▀
██████░░░░░░░░▀▄▄█████
█████░▄░░░░░▄██████▀▀█
████░████▄░███████░░░░
███░█████░█████████░░█
███░░░▀█░██████████░░█
███░░░░░░████▀▀██▀░░░░
███░░░░░░███░░░░░░░░░░
▀██░▄▄▄▄░████▄▄██▄░░░░
▄████████████▀▀▀▀▀▀▀██▄
█████████████░█▀▀▀█░███
██████████▀▀░█▀░░░▀█░▀▀
███████▀░▄▄█░█░░░░░█░█▄
████▀░▄▄████░▀█░░░█▀░██
███░▄████▀▀░▄░▀█░█▀░▄░▀
█▀░███▀▀▀░░███░▀█▀░███░
▀░███▀░░░░░████▄░▄████░
░███▀░░░░░░░█████████░░
░███░░░░░░░░░███████░░░
███▀░██░░░░░░▀░▄▄▄░▀░░░
███░██████▄▄░▄█████▄░▄▄
▀██░████████░███████░█▀
▄████████████████████▄
████████▀▀░░░▀▀███████
███▀▀░░░░░▄▄▄░░░░▀▀▀██
██░▀▀▄▄░░░▀▀▀░░░▄▄▀▀██
██░▄▄░░▀▀▄▄░▄▄▀▀░░░░██
██░▀▀░░░░░░█░░░░░██░██
██░░░▄▄░░░░█░██░░░░░██
██░░░▀▀░░░░█░░░░░░░░██
██░░░░░▄▄░░█░░░░░██░██
██▄░░░░▀▀░░█░██░░░░░██
█████▄▄░░░░█░░░░▄▄████
█████████▄▄█▄▄████████
▀████████████████████▀




Rainbot
Daily Quests
Faucet
HeRetiK
Legendary
*
Offline Offline

Activity: 1232
Merit: 1118


the forkings will continue until morale improves


View Profile
September 04, 2019, 03:12:38 PM
 #10

I am wondering how OTP will prevent if you are sending crypto-currency into wrong address. OTP will ensure that fund sending by right person, it will not verify address that you are going to send funds.

I also don't see how OTP can mitigate cases where a user sends funds to the wrong address (eg. due to clipboard-malware). The only way I currently see to avoid this problem is to (1) double check the address before pressing send and (2) confirming the address over a secondary device / communication channel (eg. via phone or email). I'm not sure if there's a good solution for automating / integrating this process of recipient confirmation though.

Obvioulsy the OTP would not autocorrect the addresses but it would give us the time to double check the transaction. Many users don't even cross verify the address and simply broadcast it to the blockchain and later regret.
Adding an OTP won't help us with this but just provide an extra step thus providing an extra time to think before making the transaction.

From this point of view maybe adding an "undo" feature like Gmail has could help.

Obviously there's nothing being undone for real, but the short delay it introduces can help with the second thoughts that hit you after pressing "send". It's a neat little psychological trick that doesn't do much, technically, but at least from my personal experience it does make a difference.

Problem being, I'm afraid the majority of people don't realize that they have sent funds to the wrong address until way after the fact. At least that's the impression I get from the support requests hitting the Bitcointalk forums.

MagicByt3
Full Member
***
Offline Offline

Activity: 322
Merit: 179


View Profile
September 04, 2019, 04:49:15 PM
 #11

I am wondering how OTP will prevent if you are sending crypto-currency into wrong address. OTP will ensure that fund sending by right person, it will not verify address that you are going to send funds.

I also don't see how OTP can mitigate cases where a user sends funds to the wrong address (eg. due to clipboard-malware). The only way I currently see to avoid this problem is to (1) double check the address before pressing send and (2) confirming the address over a secondary device / communication channel (eg. via phone or email). I'm not sure if there's a good solution for automating / integrating this process of recipient confirmation though.

Sometimes this is not enough the clipboard malware strains are becoming much more in-depth you may paste the correct address double check it but when the send button is presses the malware then manipulates the data to replace the address only after it's send do you realize that the funds are going to another address and not the one being pasted in.

The old paste in style is not the cyber crims choice of tool anymore manipulation of the packet it where they seem to be at now.

DELTATRADER Coming Soon!!!!
ETFbitcoin
Legendary
*
Offline Offline

Activity: 1764
Merit: 2028

Use SegWit and enjoy lower fees.


View Profile WWW
September 04, 2019, 05:00:47 PM
 #12

I was just thinking if we could implement 2FA in a wallet and then whenever we broadcast a transaction it would ask for a 2FA/OTP.
This would add a security layer and also give us the time to cross verify/double check our transaction before we broadcast it on the blockchain.

Technically Electrum already achieve it, since it asks for 2FA/OTP when you hit "Send" or "Broadcast" (if you open preview window).
The only improvement could be made is to make preview windows "Always on top" when enter password or 2FA/OTP code.

turndealer
Newbie
*
Offline Offline

Activity: 10
Merit: 3


View Profile
September 07, 2019, 02:00:03 PM
 #13

We have seen many people complaining that they had mistakenly sent bitcoins or any cryptocurrency to an address which they didn't want to.
Many times hackers hack other's wallets and steal their cryptocurrencies.

Everybody knows what an OTP is. It adds an extra layer of security in your payments.

What if we developed a wallet and integrated the OTP feature in it which basically when approved broadcasts the transaction on the blockchain ?
In my opinion this would add a layer of security. OTP doesn't need to be centralized and hence it won't break the decentralization part of bitcoin (but obviously a centralized wallet can still break it)
OTP isnt possible without being centralized system or custodial wallet.

However You can use MultiSignature wallets in such a case .
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!