One-time passwords?
aleclarson opened this issue · 5 comments
Here's a package you can use for Google Authenticator support: https://www.npmjs.com/package/notp
I'll have to dig into that and see exactly how it could be implemented, but thanks for the lead on that. It'd be nice to have an even more secure way to lock down your accounts on your local machine.
I did some research and I'm not entirely sure that this would actually secure a Vessel wallet any further than it already is. It would create the illusion of security, but this security could be broken if anyone gained access to the device you were running on, essentially bypassing 2fa.
The reason for this is that a secret key needs to be saved in order for the 2fa codes to be validated against. This secret key would have to be saved on your device (since there's no server for Vessel to talk to), and should anyone compromise the device, they'd be able to read this secret and essentially bypass the 2fa, rendering the 2fa useless.
Going to close this until the point where I find a solution capable of providing additional security.
I was thinking "there has to be a service that provides 2FA secret storage to serverless applications", and realized there probably is, but then I realized Remme would probably be even better since it uses blockchain tech. Maybe consider giving that a try when it rolls out. 😄
Edit: Actually, seems like if your device is compromised, Remme won't help (but not 100% on that).
Edit 2: Here's the whitepaper if you're interested.
I'll definitely have to keep an eye on that one and see how it turns out :)
IMHO The best security for such kind of application like Vessel will be Ledger Nano S and TREZOR integration.