2FA/TOTP integration?

[Outstep]

Greetings All,

Just wondering if there are any plans to add 2FA/TOTP to the WavesGUI?

I think that this would be a very nice improvement if possible.

Cheers,
Lonnie

[xenohunter]

Hello, Lonnie! Yes, we plan to add 2FA quite soon.

[jasny]

Should you really do this in the WavesGUI? To make it secure it should be through smart accounts, otherwise, a hacker can simply choose not to use the GUI.

Then if there is no information hold serverside, the whole point of 2FA is lost. Cryptography is strong, so a brute force attack to obtain keys is not feasible. Instead, phishing is used in most cases. If the WavesGUI asks for a second key generated by a device, the phishing site could simply do the same.

---

My idea is that a whole new service is needed, which has a backend with a keychain and an app as frontend. Now the client can configure multisig via smart accounts, where one key pair is generated by the seed and the other one is generated by this service via the app. This could be integrated in the Waves mobile app or as standalone.

Whenever the client wants to make a transaction, the service will see this (in outstanding TX) and send a notification via app, prompting the user to accept the transaction (via fingerprint or something).

A third backup key pair should be created which is also made available to the user as backup with the clear message that this key should only be used to disable 2FA. When that key is used a grace period (like 24h) is taken into effect after which the 2FA is disabled. During this period the user will be notified and warned using several methods (SMS, e-mail, app notification).

[br0x]

2FA still matters even for wavesgui. E.g. one may lost notebook with password form stored. So without additional device intruder can't log in