Electrum 2FA

[ranochigo]

This is not a topic about how to do 2FA, how it works etc etc. I'm talking about the efficacy of 2FA with TrustedCoin in preventing users' funds from getting compromised by a malicious party.

As a starter, 2FA by TrustedCoin incurs extra fees through both the larger TX size as well as their fees to be charged for the transactions signed by them. The benefits of TrustedCoin, however isn't exactly clear. On one hand, it would prevent attacks if the attacker is in control of the system for short periods of time and if the attacker doesn't install malware on it's computer. If the computer gets compromised by malware, the OTP that could be captured can be used to get TrustedCoin to sign an alternate transaction. It seems feasible in theory but I've yet to see anyone done it.

In addition, if the malware existed since the creation of the wallet, the 2FA would be totally useless. Does the 2FA in Electrum provide a false sense of security to the user or is there an actual use case that would justify the fees that TrustedCoin receives for their service?

Just some thoughts since Electrum's docs specifically mentions

adding another level of security in the event of your computer being compromised

. And a lot of newbies has been using 2FA and having quite some trouble with it as well.

[1715368199]

1715368199

[1715368199]

1715368199

[1715368199]

1715368199

[DireWolfM14]

Does the 2FA in Electrum provide a false sense of security to the user or is there an actual use case that would justify the fees that TrustedCoin receives for their service?

I'm not a fan.  The idea of trusting a third party to sign my transactions seems to go against everything I've learned about crypto.

The fees alone are enough reason to consider other options.  I don't remember what TrustedCoin charges, but if you use your wallet a lot the fees might add up to the cost of a Ledger Nano or another affordable hardware wallet.

But, if we're only talking about desktop wallets there are plenty of security measures you can take that will mitigate your risk without TrustedCoin.  For example; using only bip39 seeds with your Electrum wallet will prevent someone who accesses your computer from seeing your seed phrase.  If you absent-mindedly walk away from your computer with your wallet open, an attacker would still need your wallet password to sign a transaction.

I agree that TrustedCoin would only help if your passwords get compromised after setting up the wallet. 

[ranochigo]

I'm not a fan.  The idea of trusting a third party to sign my transactions seems to go against everything I've learned about crypto.

To be fair, I think they did think it through and they structured it such that you don't need the signature of TrustedCoin for the transaction to be valid because you hold 2 keys and the multisig is 2 of 3.

But, if we're only talking about desktop wallets there are plenty of security measures you can take that will mitigate your risk without TrustedCoin.  For example; using only bip39 seeds with your Electrum wallet will prevent someone who accesses your computer from seeing your seed phrase.  If you absent-mindedly walk away from your computer with your wallet open, an attacker would still need your wallet password to sign a transaction.

Agreed. I suppose using HW wallets would mitigate this risk completely in the first place. And with hot wallets, a password would be sufficient. Does other kinds of seed phrase allow a third party to see the seeds?

[DireWolfM14]

Does other kinds of seed phrase allow a third party to see the seeds?

If you allow Electrum to generate the seed phrase, you can see it by selecting "Wallet" from the menu, then clicking on "Seed."  You still need the password to display the seed phrase.  If you "restore" a wallet from a Bip39 seed phrase, that option will not be available. 

[khaled0111]

I don't remember what TrustedCoin charges, but if you use your wallet a lot the fees might add up to the cost of a Ledger Nano or another affordable hardware wallet.

You can choose to either pay 0.001btc for a set of 20 transactions (0.00005 per tx) or 0.0025btc for 100 transactions (0.000025 per tx).
A Ledger Nano costs 59$ or around 0.003btc. So, it would be better to buy a hw if you are going to make more than 100 txs.

If someone has a second device to run the authenticator software, why don't he use it to create a 2 of 2 multisig wallet and save a lot of fees?!

[NeuroticFish]

I find it to this day overpriced and not really useful.
As already said, if the computer has malware on it from start 2FA will not help.

A simple math tells that if you plan to do at least 150 transactions you'll get a hardware wallet in the same money (and I didn't count the extra you'd pay in the tx fees because of multisig).

With all due respect for the brilliant piece of software Electrum is, this 2FA feature caused more troubles to newbies than helping them and now it's time to think seriously that it should be retired.

[NotATether]

Rather than TrustedCoin, I would like the ability to send a TOTP code to Authenticator as an optional supplement to password entry. It would not be hard to implement, since there is no third party involved. Only a secret key needs to be generated, possibly wrapped in a QR code, and then HMAC hashing for the code needs to be implemented as well.

I really want to see if it's something I can hack together in 6 hours. It only involves adding a screen in the wallet creation wizard and another menu option.

With this 2FA there is no need for this third party service but it must stay in Electrum for compatibility reasons for people already using it, and it's free and saves you from paying "ransom" to some intermediary for every few transactions you make.

[Coin-Keeper]

I use 2FA (prefer U2F) on every site its available, in general, but not where I am NOT the holder of the second credential.  Using a Trezor along with Electrum, to me, is the ultimate 2FA of sorts.  My Electrum wallets are encrypted/locked to the hardware wallet so there is NO opening my wallets without the hardware wallet present.  Electrum alone cannot protect against a malware infected computer.  For this reason many elect to use Air gapped (two computers) to guard against this risk.  I find it easier to simply code and use a hardware wallet.  They both work well so its a preference thing.

[HCP]

I'm not sure why there is so much "hate" for 2FA in Electrum? Sure it might not be useful to you or I personally (like web wallet services or paper wallets)... but there are definitely use-cases for it.

If the computer gets compromised by malware, the OTP that could be captured can be used to get TrustedCoin to sign an alternate transaction.

Is that not true of any 2FA implementation tho? I don't see this as being exclusively an "Electrum 2FA" issue. It's like a lock on your front door, it'll stop a random person from walking off the street and into your house, but it isn't going to stop a determined burglar who will just put a brick through your window

These sorts of mechanisms are designed to offer "added" security... not "total" security... as per the Electrum doc that you quote:

adding another level of security in the event of your computer being compromised

And a lot of newbies has been using 2FA and having quite some trouble with it as well.

Newbies gonna newb... ¯\_(ツ)_/¯

I've seen newbies get into trouble with Electrum, Mycelium, Bitcoin Core, Armory, Blockchain.com, Jaxx, Exodus etc... I don't think it's an Electrum 2FA issue.

With all due respect for the brilliant piece of software Electrum is, this 2FA feature caused more troubles to newbies than helping them and now it's time to think seriously that it should be retired.

Why? If you don't like it... there is an easy option: don't use it!

Just because it doesn't protect all users in all situations (Spoiler: no security setup does or can), doesn't necessarily make it "bad"...

[NotATether]

If the computer gets compromised by malware, the OTP that could be captured can be used to get TrustedCoin to sign an alternate transaction.

Is that not true of any 2FA implementation tho? I don't see this as being exclusively an "Electrum 2FA" issue. It's like a lock on your front door, it'll stop a random person from walking off the street and into your house, but it isn't going to stop a determined burglar who will just put a brick through your window

Electrum makes you store the 2FA code on your phone in an Authenticator app, so malware compromising the computer isn't going to reveal the 2FA codes.

[ranochigo]

Is that not true of any 2FA implementation tho? I don't see this as being exclusively an "Electrum 2FA" issue. It's like a lock on your front door, it'll stop a random person from walking off the street and into your house, but it isn't going to stop a determined burglar who will just put a brick through your window

I agree. I just made a post describing how 2FA has it's shortcoming in another thread. Most newbies think that 2FA would protect them from most attacks as well. The range of possible cases that they would be protected from isn't stated or discussed anywhere. I feel that this is at the very least misleading, but perhaps not to the fault of Electrum.

I've seen newbies get into trouble with Electrum, Mycelium, Bitcoin Core, Armory, Blockchain.com, Jaxx, Exodus etc... I don't think it's an Electrum 2FA issue.

There seems to be a lot more confusion about why Electrum is suddenly putting a 0.001BTC output. Why doesn't Electrum put the payment preference to the start of the screen for the user to configure? At least that'll make it clearer that they're paying X to X and clear any confusion. I believe that's an UI issue but it would help a bit if they were to change it slightly.

Just because it doesn't protect all users in all situations (Spoiler: no security setup does or can), doesn't necessarily make it "bad"...

It doesn't, but I want to hear about why TrustedCoin 2FA could be useful for some. Which is why I created this thread for a discussion from both sides of the camp.

I acknowledge that it does help the user to a certain extent, is the fees being charged (0.000025BTC/tx) and considering that some would change to a HW wallet before they finish using the credit reasonable for the level of security provided?

[NeuroticFish]

Why? If you don't like it... there is an easy option: don't use it!

Just because it doesn't protect all users in all situations (Spoiler: no security setup does or can), doesn't necessarily make it "bad"...

Never did.
But newbies do use it and get in trouble. And I'm with @ranochigo here: it's rather unpleasant to find out suddenly that you've lost almost 50$ for this.
As a newbie you may even think that you got hacked.

If it would have costed a couple of cents per transaction (i.e. dust) and not paid in such big bulk then maybe it would worth it. But that's not feasible and as it is it may erode the actual reputation of the wallet.

[NotATether]

So after trying to design a scheme to add TOTP as a second step for opening Electrum wallets I ran into a major problem. There is no safe way to encrypt the wallet.dat using both the password and OTP result.

OTP requires two parties store the secret key independently from each other, but in this case the "parties" are you, in the form of your phone, and the Electrum wallet. The wallet has no safe place to store the secret key short of encrypting it with the password, but that nullifies the benefits of 2FA since the password can now be used to obtain the secret key. This means that if you know the password then the 2FA result can be trivially guessed so it's no more secure than using a single password.

There is also the equally as important issue of how the OTP result can be used to encrypt the wallet.dat. Passwords are currently stretched with PBKDF2 HMAC-SHA512 with an empty salt. We have the option of either using the OTP result or the secret key as the salt. If we use the secret key, it has to be transmitted with TLS from a secure place where it's stored (possibly from some other local system with a key store for OTP secret keys), but there is a risk that a buggy implementation might inadvertently expose it in plaintext. And of course OTP results can't be used for encryption because they are constantly changing and there's no way to create them again without the secret key. And the whole point of OTP is to keep the secret key somewhere safe.

And without encrypting the wallet.dat using something derived from the secret key, anyone that can brute force the password can unlock the wallet which is a loophole in this 2FA setup that reverts it to the 1FA we presently have...

So this is doable but our best shot is in using some established key store software like libsodium to keep the secret keys in, securely transmit it to the wallet to use as a salt, and hope that I don't write something stupid that gets the key leaked. (Libsodium is how Github stores repositories' API keys for third party publishing and testing services)

It's worth noting that a Google Chrome on Linux uses a password-protected PGP key and GPG software to encrypt all of its saved logins and passwords so I can definitely see me using some command-line tool to encrypt the secret keys to a file as well.

[igor72]

In addition, if the malware existed since the creation of the wallet, the 2FA would be totally useless.

[ranochigo]

Thanks. Good that they have that stated in the disclaimer. I never really used them other than for some troubleshooting with the users here, I missed that line.

[Abdussamad]

So after trying to design a scheme to add TOTP as a second step for opening Electrum wallets I ran into a major problem. There is no safe way to encrypt the wallet.dat using both the password and OTP result.

OTP requires two parties store the secret key independently from each other, but in this case the "parties" are you, in the form of your phone, and the Electrum wallet. The wallet has no safe place to store the secret key short of encrypting it with the password, but that nullifies the benefits of 2FA since the password can now be used to obtain the secret key. This means that if you know the password then the 2FA result can be trivially guessed so it's no more secure than using a single password.

There is also the equally as important issue of how the OTP result can be used to encrypt the wallet.dat. Passwords are currently stretched with PBKDF2 HMAC-SHA512 with an empty salt. We have the option of either using the OTP result or the secret key as the salt. If we use the secret key, it has to be transmitted with TLS from a secure place where it's stored (possibly from some other local system with a key store for OTP secret keys), but there is a risk that a buggy implementation might inadvertently expose it in plaintext. And of course OTP results can't be used for encryption because they are constantly changing and there's no way to create them again without the secret key. And the whole point of OTP is to keep the secret key somewhere safe.

And without encrypting the wallet.dat using something derived from the secret key, anyone that can brute force the password can unlock the wallet which is a loophole in this 2FA setup that reverts it to the 1FA we presently have...

So this is doable but our best shot is in using some established key store software like libsodium to keep the secret keys in, securely transmit it to the wallet to use as a salt, and hope that I don't write something stupid that gets the key leaked. (Libsodium is how Github stores repositories' API keys for third party publishing and testing services)

It's worth noting that a Google Chrome on Linux uses a password-protected PGP key and GPG software to encrypt all of its saved logins and passwords so I can definitely see me using some command-line tool to encrypt the secret keys to a file as well.

the otp is not used to encrypt anything. it's a 2 of 3 multisig wallet with only one of 3 extended private keys stored in the wallet file. during normal usage you have to get trusted coin to sign the transaction with their key so that the transaction goes through. they are the ones that make you enter the otp code.

[HCP]

I acknowledge that it does help the user to a certain extent, is the fees being charged (0.000025BTC/tx) and considering that some would change to a HW wallet before they finish using the credit reasonable for the level of security provided?

For you and me? Probably not... for someone who wants something that is arguably more secure than a standard wallet and doesn't involve them having to learn how MultiSig actually works and uses a system (Google Authenticator) they're probably already familiar with? maybe?

I wouldn't mind if the installer actually had big giant bold letters explaining how the system was going to work, that their first send transaction would add the extra fee and forced the user to actually see and agree to the fees BEFORE they finished creating the wallet...

Even a pop-up during any "send" transaction where the additional fee is going to be added because the user has no credit would be a good step... at least then users would have a better understanding of why the extra 0.001 or 0.0025 BTC is being added to the transaction and sent to some "random" address

If it would have costed a couple of cents per transaction (i.e. dust) and not paid in such big bulk then maybe it would worth it. But that's not feasible and as it is it may erode the actual reputation of the wallet.

It used to be a couple of cents and was charged per transaction... then BTC became more valuable and popular... and it was no longer financially viable for TrustedCoin to be collecting all the small "dust" payments.

So, they moved to the "credit" based system that requires a bulk purchase.

TrustedCoin previously supported paying on a per-transaction (as opposed to batch) basis but had to discontinue support for this due to mining fees.

the otp is not used to encrypt anything. it's a 2 of 3 multisig wallet with only one of 3 extended private keys stored in the wallet file. during normal usage you have to get trusted coin to sign the transaction with their key so that the transaction goes through. they are the ones that make you enter the otp code.

He was trying to design an OTP system that didn't rely on a third party... ie. you could still require the 2FA app on your phone, but it would be just your Electrum wallet and your 2FA app... no third party involved.

Honestly, I would have thought that the easier system would probably just be running a 2-of-2 MultiSig than attempting to mess around with OTP codes...

[NotATether]

the otp is not used to encrypt anything. it's a 2 of 3 multisig wallet with only one of 3 extended private keys stored in the wallet file. during normal usage you have to get trusted coin to sign the transaction with their key so that the transaction goes through. they are the ones that make you enter the otp code.

This part is why I've been fiddling with Electrum's codebase trying to add a different authentication method. I'm trying to make it so that Electrum encrypts the wallet file with the password and otp key so that trustedcoin is not needed.

I guess I could make it a plugin where it will be more accessible to people, but Electrum's plugin documentation is sparse.

[pooya87]

the otp is not used to encrypt anything. it's a 2 of 3 multisig wallet with only one of 3 extended private keys stored in the wallet file. during normal usage you have to get trusted coin to sign the transaction with their key so that the transaction goes through. they are the ones that make you enter the otp code.

This part is why I've been fiddling with Electrum's codebase trying to add a different authentication method. I'm trying to make it so that Electrum encrypts the wallet file with the password and otp key so that trustedcoin is not needed.

I guess I could make it a plugin where it will be more accessible to people, but Electrum's plugin documentation is sparse.

The problem is that no matter what you do, the user ends up having to enter that passphrase or decrypt the wallet on their system. If that system is compromised then the malware has the same access as the user and unless they verify things on both sides (the system and the 2FA where the second signature is generated) that malware can still do its thing by interrupting the communication and letting the user think they are communicating with the second party while the malware is.

[ranochigo]

The problem is that no matter what you do, the user ends up having to enter that passphrase or decrypt the wallet on their system. If that system is compromised then the malware has the same access as the user and unless they verify things on both sides (the system and the 2FA where the second signature is generated) that malware can still do its thing by interrupting the communication and letting the user think they are communicating with the second party while the malware is.

I think if we were to ignore the privacy part, since both Electrum and TrustedCoin would compromise privacy anyways.

Would it be better for TrustedCoin to be able to send a message containing the address to the user's 2FA app? Something like this[1] so it becomes more like a push notification. It eliminates the risks of having a malware, unless both the user's device and the computer are compromised. The main caveat that I can see from this is that it involves giving another party the transaction information which actually eliminates the privacy aspect completely at this point. At the same time, you can probably trust that the malware cannot modify whatever is displayed on the phone and that Authy or whichever provider is as trustworthy as TrustedCoin.

[1] https://gemini.com/blog/introducing-authy-push