4 research outputs found
SmartOTPs: An Air-Gapped 2-Factor Authentication for Smart-Contract Wallets
With the recent rise of cryptocurrencies' popularity, the security and
management of crypto-tokens have become critical. We have witnessed many
attacks on users and providers, which have resulted in significant financial
losses. To remedy these issues, several wallet solutions have been proposed.
However, these solutions often lack either essential security features,
usability, or do not allow users to customize their spending rules.
In this paper, we propose SmartOTPs, a smart-contract wallet framework that
gives a flexible, usable, and secure way of managing crypto-tokens in a
self-sovereign fashion. The proposed framework consists of four components
(i.e., an authenticator, a client, a hardware wallet, and a smart contract),
and it provides 2-factor authentication (2FA) performed in two stages of
interaction with the blockchain. To the best of our knowledge, our framework is
the first one that utilizes one-time passwords (OTPs) in the setting of the
public blockchain. In SmartOTPs, the OTPs are aggregated by a Merkle tree and
hash chains whereby for each authentication only a short OTP (e.g., 16B-long)
is transferred from the authenticator to the client. Such a novel setting
enables us to make a fully air-gapped authenticator by utilizing small QR codes
or a few mnemonic words, while additionally offering resilience against quantum
cryptanalysis. We have made a proof-of-concept based on the Ethereum platform.
Our cost analysis shows that the average cost of a transfer operation is
comparable to existing 2FA solutions using smart contracts with
multi-signatures
Decentralizing Custodial Wallets with MFKDF
The average cryptocurrency user today faces a difficult choice between
centralized custodial wallets, which are notoriously prone to spontaneous
collapse, or cumbersome self-custody solutions, which if not managed properly
can cause a total loss of funds. In this paper, we present a "best of both
worlds" cryptocurrency wallet design that looks like, and inherits the user
experience of, a centralized custodial solution, while in fact being entirely
decentralized in design and implementation. In our design, private keys are not
stored on any device, but are instead derived directly from a user's
authentication factors, such as passwords, soft tokens (e.g., Google
Authenticator), hard tokens (e.g., YubiKey), or out-of-band authentication
(e.g., SMS). Public parameters (salts, one-time pads, etc.) needed to access
the wallet can be safely stored in public view, such as on a public blockchain,
thereby providing strong availability guarantees. Users can then simply "log
in" to their decentralized wallet on any device using standard credentials and
even recover from lost credentials, thereby providing the usability of a
custodial wallet with the trust and security of a decentralized approach