Safe second-factor authentication for custodial wallets

Institutional custody usually entails the administration of considerable quantities of cryptocurrencies, usually belonging to a number of customers. The whole worth managed is commonly in billions. Whereas cryptocurrency keys could be managed inside {hardware} safety modules (HSMs), that are extremely safe, the applying that interacts with the HSM utilizing an API secret is usually in an setting that’s a lot much less safe.

The Secret Zero Downside

If this utility misbehaves or is compromised and the API secret is stolen, a custodian may see heavy losses. That is an occasion of the well-known Secret Zero Downside; whereas a lot of the secrets and techniques could be protected inside safe environments, there may be at the least one secret that is still in an setting which may be thought-about much less safe.  

The everyday manner custodial pockets service suppliers tackle this challenge is by offering a second-factor authentication system. As soon as a person initiates a cryptocurrency switch, the person is requested to enter a pin quantity or a time-based one-time password (TOTP) generated by an authenticator app put in on their telephones. Google Authenticator and Duo are generally used authenticator apps.

On this article, I query whether or not this strategy is certainly safer and whether or not this strategy solves the Secret Zero Downside.  

2FA isn’t useful in insecure environments

In actuality, second-factor authentication methods are sometimes deployed in insecure environments. I.e., they’re usually deployed in the identical setting because the backend utility managing the HSM API keys. If this insecure setting is breached by an attacker or malicious insider, the cryptocurrency keys managed by the HSM could possibly be used to signal transactions and this might result in heavy losses to the custodial pockets supplier and their prospects.  

When second-factor authentication methods are compromised, such occasions do make headlines. For instance, the second-factor authentication system of a well known trade was just lately compromised and over 400 customers misplaced someplace between $30 million to $40 million in cryptocurrencies. The trade took the loss on their very own account and compensated the customers. However such occasions do damage the reputations of companies that intention to take care of the very best requirements of safety.  

The issue shouldn’t be with second-factor authentication; 2FA is essential. The issue lies in how second-factor authentication methods are carried out and deployed. If a second-factor authentication system is deployed in the identical insecure setting because the backend app controlling secret zero, then there is no such thing as a qualitative enchancment within the safety of the system as a complete.  

A greater solution to 2FA

What if we may do higher? What if as a substitute of deploying the second-factor authentication system in an insecure setting, we deploy it contained in the safe HSM setting? This strategy has legs, particularly if the code deployed could be “frozen”; i.e., a rogue administrator shouldn’t be in a position to modify the second-factor authentication code.  

As talked about earlier, TOTP is a well-liked alternative for a second-factor authentication system. TOTP is an algorithm that generates a one-time password (OTP) that makes use of the present time as a supply of uniqueness.

At person registration time, the authentication system generates a token and shares it with the person. This token is commonly introduced as a QR code that the person scans with their authenticator app. The TOTP algorithm depends on the truth that most laptop methods are roughly time-synchronized with one another.

The authenticator app takes the shared token and the present time as enter and generates a brand new TOTP after each 30 seconds. When the authenticate needs to entry some performance protected by the authenticator, it computes the TOTP worth and provides it to the authenticator. The authenticator additionally computes the TOTP worth after which checks whether or not the TOTP worth equipped by the authenticate matches the regionally generated TOTP worth. If the values match, the authenticated is granted entry to the protected performance.  

The safety of custodial wallets could possibly be considerably improved by deploying code contained in the HSM boundary that implements safe TOTP, safe key administration and safe transaction signing. The HSM is not going to signal a transaction even when the custodial pockets’s backend system is compromised. Transactions can solely be signed with the person’s involvement.  

Throughout transaction signing, the person supplies the TOTP, and the plugin ensures that the transaction is signed solely after the TOTP is validated.  

The brand new structure is proven in determine 5. Compared to determine 2, the second-factor authentication service is deployed contained in the safe setting of the HSM. Even when the custodial pockets backend is compromised, cryptocurrency transactions can’t be signed with out the person being a part of the loop.  

In conclusion, the Secret Zero Downside is a tricky one. It reveals up in its nastiest avatar when coping with blockchain-based belongings which can be bearer in nature. As soon as such belongings are transferred, they can’t be retrieved with human intervention.

Below the hood, present-day second-factor authentication methods are usually not as safe as they seem. A compromised 2FA system usually results in lack of repute; stopping this loss is vital within the business. A powerful, sensible answer to this downside is required. I suggest an answer mandating that cryptocurrency transactions by no means occur until a person is within the loop.  

Pralhad Deshpande, Ph.D., is a senior options architect at Fortanix.