2 Factor Authentication

Apologies if this has already been raised before, but I’m just wondering whether there are plans to implement 2FA (either by mobile or email verification) upon logging in to Metamask or making trades/swaps? I think this would be a very useful security feature. Thanks.

I was about to type the same request and then i saw this post. Yes pleae,i agree. An authenticator like 2FA or google authenticator whoud be awesome. Atleast i whoud feel alot more safe. So +1 on this

Yes its absolutely need.

Highly recommend investing in a hardware wallet to use as the 2FA in the meantime.

so worth!! Lost so much in a compromised wallet… don’t procastinate it

yes ! so nessesary these days
I just lost somehow 20K USD from metamask
someone hacked my metamask - some website
i dont know how it happen, but this autorization is so so needed
i really hope they can develp it quick at least for withdraw money out of my wallet

I also believe that this function is necessary for logging in and confirming transfers. I wanted to suggest an idea, but I see that they have already come up with it before me. I support it!

boa noite noite sou novo e estava procurando se tinha como colocar 2fa .
acho quanto mais segurança melhor

Whoud be so much easier to understand if you type in english.

good night I’m new and was looking for a way to put 2fa .
I think the more security the better

Yep. Agreed. MetaMask needs 2FA.

An idea: any withdrawal from MetaMask requires a 2FA code be entered if the user opts to enable this feature, a notification sent (if desired) to a phone number/email registered with the account (optional), and add an optional log of withdrawal requests maintained within the MetaMask wallet (would require implementing a feature within MetaMask to accomodate this).

Crypto scams are a major problem. Stories abound of funds being stolen from all but the most savvy users. One should not have to be an advanced crypto user to be able to safely enjoy MetaMask.

The lack of security features within MetaMask feeds the narrative that crypto is a hotbed of crime. It makes unwanted regulation more likely.

If the crypto community (like the developers behind MetaMask) don’t start taking active steps to make crypto a safer investment, governments will take those steps for them. If government is forced to act because organizations like MetaMask refuse to, then the whole crypto community will be set back.

A likely way that government will impose restrictions on crypto is by outlawing the use of anonymous wallet addresses that have not gone through the KYC process. Government is concerned about the criminal use of crypto (ie ransomware, using crypto to fund criminal enterprises) and they are also concerned when their constituents’ money is stolen. MetaMask could at least attempt to make it look like it’s a good citizen within the larger community by addressing some of these lawmakers’ concerns.

I am so sorry for your lost. Same thing happened to me this morning, so I just wondering how is your fund right now? Did you reach to any institution to help you get the fund back?

hope they add this feature as metamask is a money wallet app…it needs a very strong security…they must apply the 2 factor authentication feature because there are many accounts have been hacked and they have nothing to do with it…also they don’t shoulder the loss so they must tighten the security feature of this wallet…

I completely agree! I hear so many horror stories of people having their computer hacked and people getting their seed phrase stolen. Why isn’t this the norm? Having the 2FA on a separate device would be similar security as a cold wallet!

Up on this.
Seed phrase alone is not really effective. I often see posts from people who are getting hacked. Does anyone know if metamask plans to add this feature? Feels like we are being ignored.

I’m re-upping this.

It’s actually ridiculous on MetaMask’s part that MFA is not implemented. MFA is an extremely mature technology with very well-documented paths on how to implement it, and is one of the most user-friendly methods of massively increasing account security. The fact that MM did not consider MFA as part of its minimal viable product is understandable, but you are now a serious player in a game that’s moving millions of dollars per day. To not have these basic protections in place for your users is unacceptable.

In addition, the response of “just get a hardware wallet” is passing more onus onto the end users from MM’s perspective, in a way I also find unacceptable. Your users are trusting you; do you want them all to migrate away in favor of hardware wallets or another provider because you haven’t taken basic steps to protect them and their wealth? I’m quite new to the crypto space, and MM is the easiest thing to use for now, but as soon as I find a good alternative that supports MFA, I’ll be transferring everything to it ASAP if MM does not at least acknowledge that MFA is on their roadmap.

Please consider the safety and well-being of your users. If someone gets their wallet emptied, you never know what that may do to them.

Didn’t see this thread but I just wrote a feature request again on the MFA topic, please check it out! Thread is called;

‘Upgraded security required asap’

Spread the word and get this voted up so it comes to attention of the devs asap!

Guys,

Just to be clear, 2FA is really good when you have account on a CEX where you are not the owner of the wallet, because if someone gets your password, they still cannot get to your funds, but if someone steals your private key or passphrase, they don’t need to use Metamask app to get to your wallet. So any 2FA on Metamask will only be for you not the hacker, they can use any app to access your wallet, so the 2FA doesn’t work as a security in this case.

Metamask is a user interface to interact with your wallet, but your wallet is in the blockchain, so someone can import your wallet to trust wallet for example and use it without having to use the Metamask 2FA implementations.

Of course what you’ve said makes sense,

But then think about how hackers obtain the seedphrase in the first place?

In most cases it is either because people ‘accidently’ reveal it (which can’t be helped really) or it is because it can be stolen from within metamask if the password/computer/device is compromised.

You are right, and I guess nothing other than having a cold wallet is the most secure option available at the moment, but for those that are using metamask on secure enough computers etc, and are wise enough to most scamming campaigns, it would be an added layer of security for most users and some peace of mind to implement some sort of 2FA for transaction authorisation at least. Trust wallet already has this feature, an option which allows the use of biometrics or passcode to sign every single transaction.

So if you strip it down, really all you need is a cold wallets, transfer all your coins and accounts to that, and then connect hardware wallets to a software wallet for dapp interactions. The more wallets that come out which allow cold wallets to connect to them, the question will arise, whats the point of using metamask in the future?

And hopefully, seed phrases, albeit floating around online via hot wallet set ups, could at some point be linked up with passwords that are used at the point of creating that wallet. So no matter when you recover the wallet to which ever branded wallet online, you’d have to input the associated password you set at the time of the intial wallet set up. Then it doesn’t matter if hackers get the seed phrase cos they’d need the associated password as well. Added security making things difficult for hackers at least. Or the seed phrase could be linked to a password as well as a phone number for extra authentication upon recovery. Nothing is impossible. I don’t have the brains to take this any further though, just stupid ideas.

And of course if someone unfortunately falls for a phishing/scamming campaign then nothing will help, unless a mobile is used as part of of the intial seed phrase set up process. And even then people will give out private access codes. They can’t be helped.

My friend just got hacked and lost more than 15ETH, he never click any sus link or share seed phrase neither QR. However, the hacker can use my friend account, accept all offer of his collection in OS and empty his wallet, transfer to his account. This can be prevented if there is a notification of new login from different devices and authorization from the owner for any transaction.