Security Is More than a Password — It's a Signature
The technology behind Bitcoin and the blockchain is secure; we know this because it leverages mathematically proven cryptographic protocols.
The technology behind Bitcoin and the blockchain is secure; we know this because it leverages mathematically proven cryptographic protocols. Known as the Elliptic Curve Digital Signature Algorithm (ECDSA), they “ensure that [Bitcoin] funds can only be spent by their rightful owners.” However, this level of security doesn’t always transfer to the businesses and applications offering services in the Bitcoin industry today.
People who register for Bitcoin services are instructed to create a strong password and to keep it somewhere safe. This small piece of information is often the most they’ll ever hear about how to keep their account secure. They might use a secondary measure called two-factor authentication (2FA), which traditionally comes in the form of:
- A token - standalone pieces of hardware which display a code
- Email or SMS - a code received via email or SMS text message
- An app - codes delivered via app running on a smartphone, computer, or tablet
Unfortunately, adoption statistics for 2FA are low unless the service enforces it. As a recent study indicated, only 27% of users adopted 2FA voluntarily at work, with common complaints that it was “annoying to have to remember to carry security tokens, while others experienced delays from SMS based codes, and were annoyed especially when paying for incoming texts.” Some also complained about having to use app codes with smartphones because “one has to look down to unlock screen, find app, open app, and read the code.”
This is despite the 2005 US-issued guidance from the Federal Financial Institutions Examination Council officially recommending the use of multi-factor authentication for online banking. Considering that Bitcoin is largely used as a digital currency, it would make sense that, at minimum, the same standards of security with online banking would apply. And coupled with the anonymity and irreversibility of Bitcoin transactions, Bitcoin users should be taking advantage of as many security tools available.
To demonstrate some of the many reasons why 2FA should be implemented, here’s a list of the different attack vectors used against Bitcoin accounts:
- Brute force - An attacker checks all possible keys or passwords, until the correct one is found. It’s the oldest and most obvious way to break into an account, and every login form is vulnerable to this one.
- Man-in-the-middle attacks - An attacker intercepts communications between the user and the site where they’re logging in. Sensitive information is stolen in transit, and this is often done by Wi-Fi snooping, malicious redirects, or malicious plugins in a user’s browser. 2FA codes can be intercepted here.
- Malware or keyloggers - An attacker records (or logs) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard remains unaware that their actions are being monitored. This is most commonly executed by a computer virus. 2FA codes are also not secure against this one.
- Server breach - An attacker gains access to the copy of credentials stored on the server in order to compromise a large number of accounts. Because passwords are used by a central server to verify each login, it is standard practice to salt (add random text) and hash (encode) user account information. Passwords can still be cracked though. It just might take longer.
Basically, a simple password is not enough to prevent an attacker from gaining access and moving coins from your account to theirs. As a Bitcoin user, I enable 2FA with every account I use. This is after twice losing Bitcoins to a thief. The accounts are still vulnerable, though, to keylogging and snooping, because 2FA involves typing in a code. This can’t be avoided when using apps like Authy or Google Authenticator, the two traditional 2FA apps in use with Bitcoin companies.
When Koinify chose to use a different type of 2FA called Clef, it came as a surprise. Unlike 2FA apps where a code is generated and typed in, the Clef Wave is ‘type-less’ and uses the same public-key cryptography as the blockchain, which means that neither Clef, nor the web service maintains a central database of passwords or two-factor secrets. According to the Clef whitepaper, their 2FA approach prevents brute force, man-in-the-middle attacks and keyloggers, protecting user accounts against more attacks than all the other 2FA options available.
This new model by Clef 2FA works similar to Bitcoin transactions, where the app signs the Clef Wave, creating a digital signature that is sent to Clef for verification. Because the only information sent is a verifiable signature, this is akin to the public transaction data in the blockchain—and just like a Bitcoin wallet, the private key never leaves the user’s possession.
When asked why Bitcoin users should consider using Clef, Brennen Byrne, Co-Founder of Clef, stated they are “building 2-factor for Bitcoin companies.”
He also explained:
“Clef uses the same cryptography as Bitcoin leveraging a distributed system and incorporates the same fundamental aspects used in the Bitcoin Blockchain.”
The setup process is simple for users, who can download the iOS or Android app, which are secured by a pin code on the phone itself. During login, the website prompts the user with an image of a Clef Wave that signals the user to match it with the Clef Wave on the app. This creates the digital signature that is part of the cryptographic handshake that many Bitcoin users will already be familiar with, as it is similar to what happens during a Bitcoin transaction.
Whereas Bitcoin is made up of three distinct technologies—public and private key cryptography, a distributed ledger and a proof-of-work mining algorithm—Clef provides a simple way to leverage public and private key cryptography with its visual 2FA model. With already 44,738 websites using Clef, each time the Clef Wave generates a cryptographic signature could be yet another step towards mainstream adoption for Bitcoin.
Since Koinify announced they were using Clef, many other Bitcoin companies have followed suit and have either launched or are currently integrating Clef 2FA for their users. It seems like we’re going to hear a lot more about Clef in the coming weeks. Lastly, Clef has a motto: F#%! passwords.
By Lisa Cheng
Did you enjoy this article? You may also be interested in reading these ones: