-
Notifications
You must be signed in to change notification settings - Fork 646
Wallet 2 Factor Authentication Protocol
Two factor authentication is critical for maximizing security and ease of use. In the case of cryptocurrencies two-factor authentication means gathering multiple signatures on a transaction to authorize a transfer. The process of gathering these signatures requires passing around a transaction digest to multiple parties who will automatically provide their signature after verifying your identity by some means.
The purpose of this protocol is to define a standard way for 3rd parties to provide automatic 2-factor authentication services with any standard Graphene wallet. Users of a Graphene wallet can easily add any number of 2-factor authentication (2FA) providers to their account and the Graphene wallet will use this protocol to gather the required signatures for the transaction.
A user wishing to add one or more 2FA providers to their account will need to update their account permissions to require the authority of one key from the user AND the authority of a second account controlled by the 2FA provider. The purpose of this protocol is to help automate the gathering of any additional signatures in a standardized manner.
For the purpose of this document https://secondfactor.org
will be the example service provider and alice
will be the account name of the user seeking services from secondfactor.org.
The first thing a user must do is identify themselves with secondfactor.org
by some means. This may be as simple as verifying an email address, registering a phone number, or ordering a keyfob.
A Graphene account is how secondfactor.org
authenticates itself with a Graphene blockchain. We will assume secondfactor.org
has registered the Graphene account name sfactor
.
When alice
approaches sfactor
and signs up for 2FA she needs to add a second signer on the account alice
. The goal is for sfactor
to sign anything at the request of alice
but to do this without compromising the sfactor
. To do this a new account must be registered on the blockchain that is effectively controlled by alice
via sfactor
. We will call this new account sfactor.alice
. sfactor.alice
will be configured so that it's owner authority is sfactor
, but it's active authority is a unique public key assigned to the account by sfactor
. At any time sfactor
may update the active authority of sfactor.alice
using the owner permissions.
Alice will have to update the active permissions of account alice
to require both her key and the permission of alice.sfactor
to approve any action on the part of alice
. She can either do this manually or https://secondfactor.org can use the [Transaction Request Protocol](Transaction Request Protocol) to automatically ask alice
to approve the change to her account.
After the alice
account has been updated it will now require permission from alice.sfactor
to authorize any action.
The most basic 2-factor API assumes the provider.
reates an account with secondfactor.org