Daedelus (OP)
|
|
February 28, 2015, 09:36:47 PM |
|
would be interesting if there was a way to create a dynamic password generator that is somehow linked to your mobile with with an app like google authenticator when using nxt login.
You covered a lot of ground there! What do you mean by dynamic? If you mean random, the main client generates a diceware password with a greater entropy than the encryption in Nxt, all done client side so it is secure against bruteforcing. If you still don't trust that, then you can create your own diceware password and enter it yourself. Two phase transactions will act like google authenticator, in that you can set it up to need two (or more) accounts to approve any transactions from your main account. It has the same effect in that if someone hacks your scvount, they can't steal anything or purchase scam assets/mscoins the would be thief is selling. Not all of this is in thr mobile wallet but there is vontant development. You might want to look at the online wallets you can access at mynxt.info or nxtblocks.info. They use the short psssword you use in your log in to create a secure password as above so they are easier to use on the move. There is also Android and iOS apps available but don't know a lot about them
|
|
|
|
|
box0211
|
|
March 02, 2015, 04:04:16 AM |
|
no what i meant was have it generate a custom QR time based code that is derived from your password. so everytime someone logins to nxt they must have the constantly changing pin # to login to their account.
|
|
|
|
Daedelus (OP)
|
|
March 14, 2015, 09:15:02 PM |
|
The surprise gifts just keep on coming - Multiaccount wallets. Login in Nxt 1.5 does not require a password anymore. Only sending a transaction does. In effect, 1.5 has a multi-account wallet as a client side only feature.
|
|
|
|
Daedelus (OP)
|
|
March 14, 2015, 09:16:26 PM |
|
no what i meant was have it generate a custom QR time based code that is derived from your password. so everytime someone logins to nxt they must have the constantly changing pin # to login to their account.
Sorry, I forgot about this. I think I understand. I'll ask the devs, Jones is always interested in stuff like this.
|
|
|
|
jones_
Member
Offline
Activity: 63
Merit: 10
|
|
March 14, 2015, 09:34:19 PM |
|
no what i meant was have it generate a custom QR time based code that is derived from your password. so everytime someone logins to nxt they must have the constantly changing pin # to login to their account.
Sorry, I forgot about this. I think I understand. I'll ask the devs, Jones is always interested in stuff like this. I am my most recent system uses an encrypted wallet.dat type format where you can use a keypad to type in your PIN to unencrypt the nxt secretphrase. That way your account is safe against keyloggers and losing your wallet.dat and its short enough to be rememberable.
|
|
|
|
Daedelus (OP)
|
|
March 14, 2015, 09:41:23 PM |
|
I knew it Could it be adjusted to rely on a dynamic pin generator, a different PIN produced each use? That sounds complicated to do.
|
|
|
|
allwelder
Legendary
Offline
Activity: 1512
Merit: 1004
|
|
March 14, 2015, 11:34:32 PM |
|
great,wait for NRS1.5
|
|
|
|
jones_
Member
Offline
Activity: 63
Merit: 10
|
|
March 15, 2015, 03:53:18 AM |
|
I knew it Could it be adjusted to rely on a dynamic pin generator, a different PIN produced each use? That sounds complicated to do. It could reencrypt the data with a different key each time, but it would just be more work for the user remembering new passwords each time the previous one is entered. A 2fa like system would be cool, but is fairly impractical in a non centralized system. The closest to the is a project I've heard called nxt vault, but they plan to use nxt phasing and account control to achieve multisig like 2fa.
|
|
|
|
box0211
|
|
March 15, 2015, 01:35:22 PM |
|
maybe make a 2fa thats somehow correlates to the block height since it changes. and with the block height u generate a 2fa code that only u remeber. say for example a math formula. ex. block height is 1000 . now u decide enter ur own 2fa formula which is: (blockheight * 2) + 5
2fa code is 2005
this is all derived from the block height and the formula u remember. this makes it a always changing pass without the need of another device.
does this make sense?
|
|
|
|
jabo38
Legendary
Offline
Activity: 1232
Merit: 1001
mining is so 2012-2013
|
|
March 15, 2015, 02:46:43 PM |
|
maybe make a 2fa thats somehow correlates to the block height since it changes. and with the block height u generate a 2fa code that only u remeber. say for example a math formula. ex. block height is 1000 . now u decide enter ur own 2fa formula which is: (blockheight * 2) + 5
2fa code is 2005
this is all derived from the block height and the formula u remember. this makes it a always changing pass without the need of another device.
does this make sense?
using block height as a part of the 2FA is a pretty interesting idea
|
|
|
|
Eadeqa
|
|
March 15, 2015, 07:14:29 PM |
|
maybe make a 2fa thats somehow correlates to the block height since it changes. and with the block height u generate a 2fa code that only u remeber. say for example a math formula. ex. block height is 1000 . now u decide enter ur own 2fa formula which is: (blockheight * 2) + 5
2fa code is 2005
does this make sense?
No, it doesn't make sense. This is nonsense. Who decides if your formula is correct and lets you login? Where is the formula saved? Why can't the hacker use the same formula?
|
|
|
|
box0211
|
|
March 16, 2015, 02:45:57 AM |
|
your password is the formula. you never type the formula. you calculate it in your head and you just type it out. even if there was a key logger they wouldnt be able to steal the code since its always changing. no one will know ur formula.
i havent firgured out where its saved yet.. just an idea for now.
|
|
|
|
Eadeqa
|
|
March 16, 2015, 05:18:02 AM |
|
your password is the formula. you never type the formula. you calculate it in your head and you just type it out. even if there was a key logger they wouldnt be able to steal the code since its always changing. no one will know ur formula.
This doesn't make any sense. The client (software) also have to know the same formula -- the one that is in your head -- otherwise how does the software check if your number is correct? 2FA doesn't work with decentralized system. It works when there are two parties, one is a server, and the second one is your phone, both have the same secret and can verify the code generated by the same shared secret. What you are saying makes no sense, as you and the software you are using must have the same formula on the same machine. That doesn't add any security.
|
|
|
|
jones_
Member
Offline
Activity: 63
Merit: 10
|
|
March 16, 2015, 06:10:13 AM |
|
your password is the formula. you never type the formula. you calculate it in your head and you just type it out. even if there was a key logger they wouldnt be able to steal the code since its always changing. no one will know ur formula.
This doesn't make any sense. The client (software) also have to know the same formula -- the one that is in your head -- otherwise how does the software check if your number is correct? 2FA doesn't work with decentralized system. It works when there are two parties, one is a server, and the second one is your phone, both have the same secret and can verify the code generated by the same shared secret. What you are saying makes no sense, as you and the software you are using must have the same formula on the same machine. That doesn't add any security. Not impossible, just different. What if I have a smartphone app that has a secretphrase encrypted with the data in a qr code kept somewhere else, then I need to scan that qr code to decrypt the secretphrase, the app signs the transaction bytes with it and then discards the secretphrase and qr code data. Then someone with my phone cant use my nxt unless they have my qr code also, 2 factors of authentication.
|
|
|
|
Eadeqa
|
|
March 16, 2015, 07:38:51 PM |
|
What if I have a smartphone app that has a secretphrase encrypted with the data in a qr code kept somewhere else, then I need to scan that qr code to decrypt the secretphrase, the app signs the transaction bytes with it and then discards the secretphrase and qr code data.
This isn't true 2FA. In 2FA the code is generated dynamically, so it changes every 30 second and can't be reused. What you describe here is static password in the phone that you are scanning instead of typing. That isn't 2FA Nxt client never saves the password anyway, so if you don't like typing that password, you can write an app that scans it instead. Same thing. This isn't 2FA
|
|
|
|
Daedelus (OP)
|
|
March 18, 2015, 11:59:34 AM |
|
Account Control (lock your account to prevent any thefts, only allow transfers to specified accounts and others) looks like it could be in version NRS 1.6. So any news about AC now ?
Another dev, Petko, is working on AC. I see regular updates in a corresponding branch, so I think it will be in 1.6
|
|
|
|
ChuckOne
Sr. Member
Offline
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
|
|
March 18, 2015, 05:27:36 PM |
|
2FA in Nxt will be realized with hashchains. What if I have a smartphone app that has a secretphrase encrypted with the data in a qr code kept somewhere else, then I need to scan that qr code to decrypt the secretphrase, the app signs the transaction bytes with it and then discards the secretphrase and qr code data.
This isn't true 2FA. In 2FA the code is generated dynamically, so it changes every 30 second and can't be reused. What you describe here is static password in the phone that you are scanning instead of typing. That isn't 2FA Nxt client never saves the password anyway, so if you don't like typing that password, you can write an app that scans it instead. Same thing. This isn't 2FA
|
|
|
|
Daedelus (OP)
|
|
March 18, 2015, 05:31:06 PM |
|
2FA in Nxt will be realized with hashchains. What if I have a smartphone app that has a secretphrase encrypted with the data in a qr code kept somewhere else, then I need to scan that qr code to decrypt the secretphrase, the app signs the transaction bytes with it and then discards the secretphrase and qr code data.
This isn't true 2FA. In 2FA the code is generated dynamically, so it changes every 30 second and can't be reused. What you describe here is static password in the phone that you are scanning instead of typing. That isn't 2FA Nxt client never saves the password anyway, so if you don't like typing that password, you can write an app that scans it instead. Same thing. This isn't 2FA What (rough) release will hashchains be in? And is that the tech that prevents spam and allows zero fees?
|
|
|
|
Daedelus (OP)
|
|
March 18, 2015, 05:31:29 PM |
|
Also, for the fans... Hi folks,
right now, we are busy finishing the experimental version of 1.5.0e. It will contain the long-announced Voting System and phased transactions.
Voting System will give several options to create polls and several options to vote on such creates polls. Also, the set of voters can be restricted.
Phased transactions leads to a new kind of transactions: transactions included within a block but with delayed execution.
However, understand its implications require a severe amount of time and consideration (concerning the protocol, server-side, UI-side, third-party applications, etc.) which the team currently is working on. We are on a good track to pin down every corner cases, try to smooth things out and remove insensible use-cases.
That's so far for the upcoming release 1.5.0e. I cannot tell a release date for now. We first need to make sure we got it all right (at least theoretically) to reduce the amount of work later on.
Cheers, Chuck
|
|
|
|
|