What is 2FA?
Two-factor authentication (2FA) is a security process in which users provide two different authentication factors to verify themselves. Two-factor authentication provides a higher level of security than single-factor authentication (SFA), in which the user provides only one factor -- typically, a password or passcode.
Are there different types of 2FA?
Some 2FA methods are:
- OTP (one time passcode) over SMS
- Out of Band SMS
- Google Authenticator
- Mobile Authentication
- Push Notification
- Soft Token
- OTP (one time passcode) over Email
- Out of band email
- Display Hardware token
- Yubikey hardware token
- Security Questions
- Phone verification
- Voice verification
The XRP Ledger and 2FA
2FA relies on a “shared secret”.
For example, when Google asks you to enter a 6 digit code to access your account, you and Google have a shared secret that is used to “derive” these codes.
The trick is that the secret is never sent, only the codes are. So an attacker can’t get the secret so, they can’t generate the code.
This works great on a centralized system like Google but it does not work on the XRP Ledger since there is no place to store a “shared secret” on the XRPL. In order to implement 2FA, the XRPL would need to implement a centralized, 3rd party system to "control" access. This does not make sense on a public, decentralized blockchain.
You might think that multi signing accomplishes the same thing as 2FA in that you could require 2 or more signers to submit a transaction, but that only simulates 2FA, and even then, only if you sign with two separate devices that are not in the same location.
Xumm uses "4FA"
Consider the following requirements to get access to your XRP Ledger account managed with Xumm:
1) physical access to your phone
2) some way to unlock your phone
3) some way to access Xumm (could be the same as #2, e.g. FaceID / Fingerprint)
4) some way to sign transactions on your account (optional extra security using a configured password)
We can not control the first two options. You are responsible for your phone and keeping it safe. You are also responsible for creating a secure password to unlock your phone.
However, let's say that someone has acquired your phone and somehow circumvented your password and now has full access to it.
An attacker launches Xumm and tries to hack your 6 digit passcode. Six digits is only 999,999 possible combinations, (000000, 000001, 000002 -> 999997, 999998, 999999), so they start entering various passcodes at a rate of 1 one passcode per second and about 11 days later they have tried all of the possible combinations. So now they have access to Xumm.
Except for one small countermeasure we implemented in Xumm. We have configured Xumm to only allow 5 attempts before Xumm starts to add time to the next attempt. After the ninth wrong entry, Xumm requires a delay of 2 hours to input again. That means 12 attempts per day. Now instead of 11 days to try all of the possible combinations, it would take about 83,332 days to try them all... Or about 228 years.
However, let's say someone manages to guess your 6 digit passcode in under 228 years, now they have to figure out your signing password. Honestly, how hard can that really be right? Well, we set the limit for the number of characters you can make your password to a mere 2,091,752 terabytes. In other words, you could make your password so long, it would take up all of the storage space on your 512GB phone and about 4 million other 512GB phones before you ran out of space to store it. Provided you selected a strong signing password, this could take awhile to guess.
Comments
0 comments
Please sign in to leave a comment.