OTP for crypto transactions

[pawanjain]

We have seen many people complaining that they had mistakenly sent bitcoins or any cryptocurrency to an address which they didn't want to.
Many times hackers hack other's wallets and steal their cryptocurrencies.

Everybody knows what an OTP is. It adds an extra layer of security in your payments.

What if we developed a wallet and integrated the OTP feature in it which basically when approved broadcasts the transaction on the blockchain ?
In my opinion this would add a layer of security. OTP doesn't need to be centralized and hence it won't break the decentralization part of bitcoin (but obviously a centralized wallet can still break it)

[1714119828]

1714119828

[1714119828]

1714119828

[1714119828]

1714119828

[1714119828]

1714119828

[1714119828]

1714119828

[1714119828]

1714119828

[ranochigo]

The mainstream implementation of the OTP system is mainly with SMS based and time based. Since SMS based systems obviously will require a central party, it is out of the equation.

With time based OTP, the secret is shared with the phone which should be kept safe. It wouldn't work if the malware were to be active during the point at which the OTP is activated. In addition, for the server to validate your OTP, they would require the secret key. This means that every node (and thus everyone) would have access to your secret. It wouldn't make sense and it would make the blockchain even more bulky by storing all the data on every node.

The current implementation of 2FA wallets with multisig is the best compromise between security and feasibility.

[NeuroticFish]

I've seen OTP via hardware device (which is good, but not useful for your case), SMS (insecure), e-mail (even more insecure), in-mobile-app confirmation/password (not useful since in your case it's probably the same application)...

So no. I don't think that there's a good OTP method OP can use.

[The Cryptovator]

I am wondering how OTP will prevent if you are sending crypto-currency into wrong address. OTP will ensure that fund sending by right person, it will not verify address that you are going to send funds. Address should be verified by yourself even you active OTP or 2FA. If you are wondering about SMS OTP then it will be a centralized system and it would be hacked by get help from operators. Only devices would be safe but its also will be like centralization in my opinion.

P.S. while Google Authenticator and Authy usually refereed as 2FA, technically it's also OTP at same time

Second that.

[TalkStar]

It wouldn't make sense and it would make the blockchain even more bulky by storing all the data on every node.

Yeah assuming something similar from my side. Implementing 2FA for transaction and users sign in together wouldn't be a good idea.

As we know that some wallet service providers are offering 2FA for users account safety but using it for every single transaction will increase their service cost for sure. Most probably users transaction charges would be higher than previous which is really unexpected for many wallet users.  

[HeRetiK]

I am wondering how OTP will prevent if you are sending crypto-currency into wrong address. OTP will ensure that fund sending by right person, it will not verify address that you are going to send funds.

I also don't see how OTP can mitigate cases where a user sends funds to the wrong address (eg. due to clipboard-malware). The only way I currently see to avoid this problem is to (1) double check the address before pressing send and (2) confirming the address over a secondary device / communication channel (eg. via phone or email). I'm not sure if there's a good solution for automating / integrating this process of recipient confirmation though.

[pawanjain]

I should have made myself more clear. I am not talking about OTP on SMS based systems since it will obviously lead to centralization.
I was talking about OTP similar to 2FA which as ETFbitcoin said is already implemented in Electrum wallet.

I am wondering how OTP will prevent if you are sending crypto-currency into wrong address. OTP will ensure that fund sending by right person, it will not verify address that you are going to send funds.

I also don't see how OTP can mitigate cases where a user sends funds to the wrong address (eg. due to clipboard-malware). The only way I currently see to avoid this problem is to (1) double check the address before pressing send and (2) confirming the address over a secondary device / communication channel (eg. via phone or email). I'm not sure if there's a good solution for automating / integrating this process of recipient confirmation though.

Obvioulsy the OTP would not autocorrect the addresses but it would give us the time to double check the transaction. Many users don't even cross verify the address and simply broadcast it to the blockchain and later regret.
Adding an OTP won't help us with this but just provide an extra step thus providing an extra time to think before making the transaction.

The mainstream implementation of the OTP system is mainly with SMS based and time based. Since SMS based systems obviously will require a central party, it is out of the equation.

With time based OTP, the secret is shared with the phone which should be kept safe. It wouldn't work if the malware were to be active during the point at which the OTP is activated. In addition, for the server to validate your OTP, they would require the secret key. This means that every node (and thus everyone) would have access to your secret. It wouldn't make sense and it would make the blockchain even more bulky by storing all the data on every node.

The current implementation of 2FA wallets with multisig is the best compromise between security and feasibility.

Yes, implementing OTP directly on to the blockchain would definitely increase the blockchain's size which is why I said that the OTP should somehow be integrated into the wallet and not on the blockchain.
The time based concern is still there and I don't know how we can tackle that.

To be honest, I doubt on my idea of OTP since the verification of OTP would require a server to cross verify the OTPs. We can't implement it over the blockchain since it's absolutely stupid.
And if we implement the verification process on a server then that would break the decentralization part. Damn!

I was just thinking if we could implement 2FA in a wallet and then whenever we broadcast a transaction it would ask for a 2FA/OTP.
This would add a security layer and also give us the time to cross verify/double check our transaction before we broadcast it on the blockchain.

[HeRetiK]

I am wondering how OTP will prevent if you are sending crypto-currency into wrong address. OTP will ensure that fund sending by right person, it will not verify address that you are going to send funds.

I also don't see how OTP can mitigate cases where a user sends funds to the wrong address (eg. due to clipboard-malware). The only way I currently see to avoid this problem is to (1) double check the address before pressing send and (2) confirming the address over a secondary device / communication channel (eg. via phone or email). I'm not sure if there's a good solution for automating / integrating this process of recipient confirmation though.

Obvioulsy the OTP would not autocorrect the addresses but it would give us the time to double check the transaction. Many users don't even cross verify the address and simply broadcast it to the blockchain and later regret.
Adding an OTP won't help us with this but just provide an extra step thus providing an extra time to think before making the transaction.

From this point of view maybe adding an "undo" feature like Gmail has could help.

Obviously there's nothing being undone for real, but the short delay it introduces can help with the second thoughts that hit you after pressing "send". It's a neat little psychological trick that doesn't do much, technically, but at least from my personal experience it does make a difference.

Problem being, I'm afraid the majority of people don't realize that they have sent funds to the wrong address until way after the fact. At least that's the impression I get from the support requests hitting the Bitcointalk forums.

[DaCryptoRaccoon]

I am wondering how OTP will prevent if you are sending crypto-currency into wrong address. OTP will ensure that fund sending by right person, it will not verify address that you are going to send funds.

I also don't see how OTP can mitigate cases where a user sends funds to the wrong address (eg. due to clipboard-malware). The only way I currently see to avoid this problem is to (1) double check the address before pressing send and (2) confirming the address over a secondary device / communication channel (eg. via phone or email). I'm not sure if there's a good solution for automating / integrating this process of recipient confirmation though.

Sometimes this is not enough the clipboard malware strains are becoming much more in-depth you may paste the correct address double check it but when the send button is presses the malware then manipulates the data to replace the address only after it's send do you realize that the funds are going to another address and not the one being pasted in.

The old paste in style is not the cyber crims choice of tool anymore manipulation of the packet it where they seem to be at now.

[turndealer]

We have seen many people complaining that they had mistakenly sent bitcoins or any cryptocurrency to an address which they didn't want to.
Many times hackers hack other's wallets and steal their cryptocurrencies.

Everybody knows what an OTP is. It adds an extra layer of security in your payments.

What if we developed a wallet and integrated the OTP feature in it which basically when approved broadcasts the transaction on the blockchain ?
In my opinion this would add a layer of security. OTP doesn't need to be centralized and hence it won't break the decentralization part of bitcoin (but obviously a centralized wallet can still break it)

OTP isnt possible without being centralized system or custodial wallet.

However You can use MultiSignature wallets in such a case .