Why doesn’t the Chia software (that includes access to your wallet) have two factor authentication? Basically if someone gains access to your computer that has a node loaded, they can just open the software and transfer your balance. I think it should either have TFA setup on login to the software or to confirm a transaction (second method preferred and normally what most exchanges do). Maybe I am speaking out of turn, I have never sent Chia. Maybe it is there already, but I doubt it since I don’t see any way to setup TFA. Is this on their list of improvements?
1 Like
Generally, I’d say 2FA doesn’t really help much if you leave your computer unlocked in an insecure place. Most can be bypassed by email reset, which you probably also still have open.
In other words: if people have physical access to your machine, very much is at risk already.
It’s a good idea but likely very low on the priority list for the team.
1 Like
You are assuming 2FA to email. I didn’t specify, but I mean a 2FA app that generates a code and having the 2FA to confirm a transaction would mean leaving the program open would not matter.
I understood you perfectly 
I own multiple YubiKeys and love using 2FA for everything. Just saying that it’s probably not a high priority since if an attacker already has a access to your wide open machine then you already have bigger problems. 
As said, the idea isn’t bad at all, but the developers have to prioritize.
Better yet, if we had chia support in ledger, get it off farming pc
1 Like
Yeah we definitely need some sort of cold wallet support!
2 Likes
In reference to the post directly above this one, 
, posted by @cultiv, talking about cold wallets, I offer the following reply: don’t we have a few topics on this? Searching for “cold wallet” produces
among other posts.
1 Like
This thread is not about a cold wallet. It is about wishing the Chia software required 2FA when submitting a transaction. Someone did mention a cold wallet, but that was not the original topic. Unless your comment was just directed to @cultiv. Then sorry.
1 Like
Yep, my reply was directed to the post above it. I will edit it so it’s extra clear this is the case.
Sure thing, but this process currently needs to be followed online, cold wallets should really be created completely offline since your computer or network may already have been infiltrated upon creation.
@WolfGT Sorry to derail this topic, but the scenario you present seems very difficult to secure:
(a very) fictional scenario:
- You’re at the office farming away on the spare drive you plugged in
- You walk away leaving your computer unlocked
- Your colleague, who you’ve talked to at length about Chia sees their opportunity to get rich off of your work and send all the Chia you have to their own wallet
- Oh no! It’s asking for a Google Authenticator code
- Alright, time to install some spyware to exfiltrate the info next time you use it (or extract private keys from credential stores, etc)
Unlikely? Yes, but with enough motivation, a 2FA code is not going to stop anyone from getting your hard earned Chia.
Additionally, I am not sure how the seed value for 2FA would be securely stored on an unlocked computer without first requiring a password to unlock it. So to securely implement this might require an additional password. Which is fine of course since 2FA is usually “something you know” and “something you have”.
Again, I think it’s a good idea to implement a 2FA confirmation to thwart casual attacks, but it’s not going to stop a determined person who has physical access to your computer. Which is why, if I was working day and night on finishing the pooling protocol, would not prioritize this feature very high for now.
But this is all speculation, if you want a feature, make sure to go file a feature request so people can vote on it: Sign in to GitHub · GitHub
1 Like
It seems you are assuming Google Authenticator is on the computer too. If it can be ran on a PC, I have never done it that way. It is on my phone. So in your scenario is he somehow getting my phone, getting logged into it (somehow) and installing spyware on my phone? Doesn’t sound very likely since like everyone nowadays, my phone never leaves my sight.
So the way your scenario would play out if 2FA were in effect (using Google Authenticator, which is actually what I use) would really play out would be:
- I"m farming away
- Leave my system unlocked
- Dickhead colleague that I will never talk to again tries to be a huge asshole.
- Oh on! 2FA.
- End of story because he will never get my phone or be able to get in it if he somehow did.
I am not.
No, scenario is that they find a way around 2FA, your 2FA code has an origin code/key, which is stored in your computer and which produces that QR code you can to get it in your phone. If you leave your computer unlocked it will be really hard to protect that origin code with HAS to be stored on your computer too. Get the code and you are done, you can import it in any 2FA app.
Every time I have setup 2FA, the QR code was presented on the screen directly from the website I was setting it up for. Then use the app on my phone to link to it. That code is not stored anywhere. It wasn’t emailed, it wasn’t saved. If you know of a hole there somewhere, I would love to know about it. I just don’t see how anyone is getting linked to it once that specific web page is closed. It’s a one time deal. That is the entire purpose of 2FA.
Yes, that code is stored:
- On the website’s server
- On your phone
In your scenario the code needs to be stored in the Chia app on your computer and in your phone, this is the only way the correct number can be generated for you on your phone to type into the app.
I think you are reaching. That original code to link the 2FA application to the site/software is not recoverable. Unless someone is screenshotting your system at that very moment, they are not getting it. Beyond that, the only way to bypass the system would be to install some malware on the phone running the authenticator app. To do that, they would have to get the phone long enough to perform that task. Is that possible, sure. Likely, no.
Every security precaution you put in place will have a way around it. But bypassing 2FA using an authenticator app is not as easy as you make it sound.
For example, my taxslayer account: Right now, the only way (THE ONLY WAY) to get access would be to have physical access to my phone and be able to unlock it. That’s it. There is no magical code sitting somewhere that can be recovered and used on another device.
I am not reaching, I have implemented these systems.
I’m telling you that the magic code is required to live on both your phone AND on the server. The exact same code needs to be stored on the server as on your phone or else you will never both be able to generate the same code to type in.
If someone has access to the Taxslayer server, your 2FA code is completely useless depending on how it’s stored, I do not even you can even store it in anything but plain text, for example:
I’ll be happy to be proven wrong though. The post above talks about the code being verified on a remote server. Which is again useless if someone has access to your machine, a man-in-the-middle attack is child’s play at that point
So if we extrapolate this to Chia: if you leave your computer unlocked then that means your “server” (the Chia app) is compromised and 2FA is completely useless.
1 Like
But the code wouldn’t be in the chia app. It would be at chia in their servers. So you would either need to hack a phone or hack chia servers. Both of which are out of the realm of something an overly eager so-called friend would be able to do.
By the way, I will repeat: requiring 2FA is a GREAT idea, it will help a lot with MANY casual attacks, just not if you leave your computer unlocked.
The best option in this case would probably be 2FA + an immediate SMS/email alert that someone has initiated a transfer of your funds. It will still be too late, but chances are you at least have a pretty good idea of who stole your Chia.
And while Google Authenticator type 2FA is too easy to circumvent, better options are the YubiKey, or some service like Twillio as described in the StackOverflow post above. These might be harder to circumvent since you need to talk to a server and your colleague first needs to figure out who’s talking to what and why.
1 Like
I doubt Chia wants to be responsible for 2FA servers, not their core business. But as above: man-in-the-middle on an unlocked computer will slow the attacker down, so that would indeed be a better. But if we look at the incentives: you’ve talked your colleague’s ear off about Chia and how much you already won, let’s say 10K worth! Then they could definitely do their homework and learn first how to MiTM your wide open machine.
Moral of the story: just lock your machine when the Chia app is running!
1 Like
I don’t see how a MiTM attack would even play out. That would require you (the owner of the chia account) to go into a fake website (or redirected to a fake website via some sort of proxy) and enter the real/current code. If I was not sending any transactions, why would I go and enter any code anywhere for that person to steal? If that person is just sitting at his computer 24/7 waiting for me to make a transaction, uh wow. Then he has a max of 30 seconds to pull off his heist. And again, I would have to be the one initiating this entire process. Going in to do a legit a transaction. Would the system even accept two transactions back to back with the same auth code? I would think a basic security step would be to force a delay between transactions. A minute delay would totally make the MiTM attack worthless.
2FA would be a great addition to the software to confirm transactions. Leaving it open is just not right. And it would have to be held at the server side, not in the software. They are in the business of encryption so it should not be a big deal to them.
There are plenty of articles about how to circumvent 2FA. But in reality, none of them are easy and the common person looking for a quick buck is not capable of performing the necessary steps to accomplish it. Even if they did take the time to do their research.
The only way I see 2FA realistically getting bypassed is if someone hacked either the 2FA server at the host (in this case Chia) or hack your phone. Both are possible, but the odds are pretty slim.