2FA for withdrawals

Badha5h · June 9, 2021, 5:23am

Are there any plans to implement 2FA for BTC withdrawals?
I’d like a bit more security than just a password.

Cheers

Pazza · June 9, 2021, 9:45pm

I think the problem of implementing 2FA is that Bisq is decentralized. No one to help when a phone is lost etc and there is no backup.

Take a look at the previous discussion here Bitsquare wallet safety when compared to other hot wallets?

Dreki · June 17, 2021, 7:26am

perhaps something like using HMAC-SHA1 challenge response on a security key could work? I believe you can use it as part of the decryption key for LUKS disk encryption so it could be possible to encrypt a wallet with it to? Most of that is a little over my head so someone that knows a little more about encryption would have to say for sure if it’s possible.

jkepler · December 27, 2021, 9:06am

So, if I understand the previous wallet safety discussion @pazza cited, the reason implementing 2nd Factor Authentication (2FA) via SMS or a One Time Password (OTP) authenticator app would not provide benefit is that the shared secret would need to be stored in the bisq software on the user’s computer (since bisq is server-less). Hacking to steal someone’s bisq wallet coins would simply mean the attacker would need to steal the OTP secret, and then could withdraw the coins.

Storing one’s coins on a wallet external to bisq, as suggested in the referenced thread, provides far better security, and potentially better privacy, depending on how private the other wallet is. If you use an external wallet to fund your trade addresses, trade in bisq by accepting existing offers (which locks your coins into the trade address multisig), and withdraw to an external wallet soon after trade completion, you minimize the time coins could be withdrawn from bisq by an attacker to the time between trade completion and coin withdrawal. If you make bisq offers, your coins would be sitting on your computer until someone accepts your offer.

2FA for withdrawals would improve this. Perhaps we could give uses an option to use 2-2 multisig addresses in the bisq wallet, initialized with the user’s external wallet as the second signer, and a variable (user’s choice of duration) time-lock to switch to a single bisq signature to guard the user loosing the second signing key. Users could then role their bisq wallet balance into a new multisig before the time lock expired to jeep their coins safe. The second signature basicly would function as a server-less 2FA, and the time lock gives a bit of grace to recover loosing the 2nd signature.

w000000t · December 27, 2021, 11:51am

I think such implementation would be workable, and yet increase the complexity of the project for the developers.
Let’s analyze the problem: not wanting funds to stay parked on a hot wallet (which Bisq is).
When does this happen? Whenever funds are not locked in an open trade.
So when, exactly?

funds are sitting there idle
funds are reserved in an open offer (and can be released by anyone canceling the offer)
fund have just been released from a completed trade

Solutions:

don’t leave idle funds on Bisq
(and 3 as well) have Bisq immediately send the released funds to a set address of an external wallet

This would increase security, at the cost of the inconvenience of having to always move funds from and to an external wallet.

jkepler · December 28, 2021, 12:42pm

Thanks—your summary is far more concise that my second paragraph.

Quick clarification: when coins are reserved in an open offer (#2 in your list above), how does that work under the hood? Is the local bisq hot wallet signing a partially signed bitcoin transaction (PSBT, 1 of 2 signatures), then advertising it to bisq peers, and when someone accepts the offer their bisq signs the 2nd signature and broadcasts it on chain, locking it in the 2-of-2 multisig trade address?

In other words, until someone accepts the offer, the local bisq client could cancel the offer and withdraw the bitcoin to another wallet at any time. In other words, the bitcoin are sitting in a hot wallet from the time an offer is created until a trading peer accepts it.

Currently the hot wallet nature of bisq incentivises people to accept existing offers, but discourages folks from making lots of offers. Improving security in the hot wallet may remove a barrier to people posting more offers. This could increase the number of available offers by increasing people’s willingness to leave bitcoin in offers.

w000000t · December 28, 2021, 5:18pm

You made a nice supposition, where nice means “nice thinking”, though the reserved liquidity is not a PSBT, but just a utxo that bisq itself doesn’t let you spend (but that you could spend, were you to load the wallet into another software), see the “Reserved” definition here: Wallet - Bisq Wiki

So even funds reserved by Bisq wallet are just a normal utxo, it’s your responsibility not to spend it from another wallet, and yes, they are hit funds that anyone with access to your bisq app, and knowing the passphrase, can send out at any time after canceling the open offer.

I honestly don’t see a way to make bisq act as a cold wallet, because it simply isn’t Rather, the software would need to act as a watch only wallet, and you would need a hardware wallet associated with it so you can send out transactions everytime you want to withdraw, or to “mark payment sent”, or “confirm payment received”… I think that this would be quite a hit in UX.

Advanced users who know the drawbacks of a hot wallet will provide to only keep as little funds as needed on bisq, and for as little time as possible, setting a strong passphrase, and securing as much as possible the pc where bisq runs.

jkepler · December 29, 2021, 8:40pm

Actually, the idea I’ve been wondering about is whether the existing 2-of-2 code that’s used for the trade wallet could be reused/refactored to create an option to turn the local bisq wallet into a 2-of-2 wallet with an external user-supplied wallet.

The high-level idea would be that moving any funds from the local bisq wallet would require both the local signature and the external local signature. Creating an offer for a trade would require the user’s external wallet to sign the UTXO(s) for the offer, but the local bisq wallet wouldn’t sign the second signature until bisq had a peer accepting the offer, at which point the local bisq would sign the second signature and the offer’s UTXO could then be combined with the Taker’s UTXO in the 2-of-2 trade address; payouts would similarly be sent to a local 2-of-2 multisig. In other words, offers that weren’t yet accepted would be PSBT (1 of 2 signatures), with the second signature being the local bisq, so the software would still be free to accept Takers. Thus bisq would no longer be a hot wallet, but it also wouldn’t be reduced to a watch-only wallet.

(I may have misunderstood how the trade multisigs work, and my proposition might not be workable without the Taker’s pubKey.)

Of course, users who don’t have a second/external wallet could have the option to continue using bisq as a risk-minimized hot wallet, using it primarily for trading and saving on another wallet.

I think this could also increase bisq’s liquidity of Maker offers, as UTXOs in offers wouldn’t be sitting in a hot wallet, so more people might be more willing to make offers, knowing that their bitcoin wasn’t at risk.

w000000t · December 29, 2021, 9:37pm

I can reply on this, I think, with more confidence than what I would be able to do with the rest.
Until now, you are the only one I know who has voiced their doubts about Bisq’s hot wallet being a possible turnoff for traders (and I absolutely respect your opinion), on the other side I have had the impression that the reason there aren’t more makers (not that I think there’s few of them, by all means), is that new users will just be presented with existing offers, and they think (I know I did, when I first started) that making offers is a much bigger deal than what it actually is.

jkepler · December 30, 2021, 7:22am

Your reasoning makes sense to me. Perhaps I’m more curious than others, as I remember trying making an offer almost immediately when I started using bisq, just to see how the process went.

Do we have any stats on the comparison of the number of Makers offering to sell bitcoin versus the number of Takers selling bitcoin? Perhaps that might be a data point that could indicate if I’m alone in hesitating to make sell offers, or if others also make less sell offers as I do. That wouldn’t explain the reasons for people’s actions, however, for my part I know its because I don’t like leaving bitcoin Inna hot wallet longer than necessary.

Please also known I understand that one can quite easily minimize the time with coins in bisq’s hot wallet by funding all trades from and to an external wallet… If one does this, really the only time coins are ‘hot’ is until trade offers are accepted. I guess in the current setup that incentivises people to make offers near market price that are likely to be taken quickly.

w000000t · December 30, 2021, 7:40am

Stats you can quickly access is number of made offers to buy and made offers to sell, and usually the former are more than the latter; also considering the spread between the the kind of offers, I don’t see sellers making offers to publish low prices, like, at all