2 Factor Authentication

Guys,

Just to be clear, 2FA is really good when you have account on a CEX where you are not the owner of the wallet, because if someone gets your password, they still cannot get to your funds, but if someone steals your private key or passphrase, they don’t need to use Metamask app to get to your wallet. So any 2FA on Metamask will only be for you not the hacker, they can use any app to access your wallet, so the 2FA doesn’t work as a security in this case.

Metamask is a user interface to interact with your wallet, but your wallet is in the blockchain, so someone can import your wallet to trust wallet for example and use it without having to use the Metamask 2FA implementations.

2 Likes

Of course what you’ve said makes sense,

But then think about how hackers obtain the seedphrase in the first place?

In most cases it is either because people ‘accidently’ reveal it (which can’t be helped really) or it is because it can be stolen from within metamask if the password/computer/device is compromised.

You are right, and I guess nothing other than having a cold wallet is the most secure option available at the moment, but for those that are using metamask on secure enough computers etc, and are wise enough to most scamming campaigns, it would be an added layer of security for most users and some peace of mind to implement some sort of 2FA for transaction authorisation at least. Trust wallet already has this feature, an option which allows the use of biometrics or passcode to sign every single transaction.

So if you strip it down, really all you need is a cold wallets, transfer all your coins and accounts to that, and then connect hardware wallets to a software wallet for dapp interactions. The more wallets that come out which allow cold wallets to connect to them, the question will arise, whats the point of using metamask in the future?

And hopefully, seed phrases, albeit floating around online via hot wallet set ups, could at some point be linked up with passwords that are used at the point of creating that wallet. So no matter when you recover the wallet to which ever branded wallet online, you’d have to input the associated password you set at the time of the intial wallet set up. Then it doesn’t matter if hackers get the seed phrase cos they’d need the associated password as well. Added security making things difficult for hackers at least. Or the seed phrase could be linked to a password as well as a phone number for extra authentication upon recovery. Nothing is impossible. I don’t have the brains to take this any further though, just stupid ideas.

And of course if someone unfortunately falls for a phishing/scamming campaign then nothing will help, unless a mobile is used as part of of the intial seed phrase set up process. And even then people will give out private access codes. They can’t be helped.

2 Likes

My friend just got hacked and lost more than 15ETH, he never click any sus link or share seed phrase neither QR. However, the hacker can use my friend account, accept all offer of his collection in OS and empty his wallet, transfer to his account. This can be prevented if there is a notification of new login from different devices and authorization from the owner for any transaction.

3 Likes

Can we post a bounty to get this feature added?

1 Like

With 2-factor using an external authenticator like a smartphone, it does not matter if the hacker has your seed phrase, computer password, meta-mask password, or any other password. The hacker would have to have your 2-factor seed key from your authenticator which is not stored on your computer.

4 Likes

much needed feature needed feature​:lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock::lock:

2 Likes

Yes but you can only add tokens that that hardware wallet supports isn’t that right? So if you buy a good amount of a microcap (which is a typical use case for metamask) then you’re stuck with them there. I would like an email sent for 2fa on any metmask withdrawal. Looks like a major flaw but happy to be told otherwise.

1 Like

You don’t need the seedphrase with keyboard logging malware. And per @cbayschm helpful comment - after using your seedphrase (private key) then the local metamask is permitted to fully interact with the ‘blockchain wallet’. So if that permitted metamask is compromised (through keyboard logger or similar local malware) then the hacker has full access to your blockchain wallet by proxying through your local metamask.

1 Like

your misconception is that you need metamask to control your account, and that is not the reality, your wallet is in the blockchain, Metamask is only a user interface to interact with it, but the seedphrase/private key is to interact with the blockchain. You would need to add 2FA to the blockchain to avoid what you are saying, but if someone has you seedphrase/private key, even if you have 2FA on Metamask, they can still get to your funds, they can interact with the blockchain directly, without using Metamask.

I repeat, Metamask is only a user interface to interact with your wallet, which is in the blockchain, you can take your seedphrase or private key and add the same wallet to any other program like Trustwallet, Huobi Wallet, Coin98 wallet… any wallet program.

So adding 2FA to Metamask is only adding protection to the user interface, not the wallet. I hope this is more clear.

3 Likes

No, I use Ledger Nano X connected to Metamask (on Web extension on PC) and interact with my hardware wallet through Metamask. This way, even if the Wallet program that you use with the hardware wallet does not support the tokens, using Metamask, you can interact with the tokens like if you where using Metamask with a non-hardware wallet. The only difference is, since the private key is not in your computer, every time you need to accept a transaction on Metamask, the transaction has to be accepted on the hardware wallet.

Right now this is the only REAL way to avoid hacks.

2 Likes

Your misconception is that 2FA cannot be used to prevent metamask hacks. The point of 2FA is to prevent someone who has gained access to your PC and your metamask password. Once they have those two things, they can 1) send all your funds or 2) reveal the seed phrase and open your account on another machine. The point of having metamask include a 2FA step is the hacker would need to get access to your 2FA device (phone or other) in order to reveal the seed phrase or send funds from your metamask.

A common hack with SMS has been to goto a cell provider like ATT and switch your phone SIM to their SIM so 2FA with SMS was compromised. I had that hack happen to me several times and they never got my funds because my account was always protected by 2FA using Authenticator or other 2FA software.

2 Likes

I know this, but you specifcally said in you post that it didn’t matter that they had your seed phrase, they couldnt get your wallet with 2FA, that is completely wrong, if they have your seed phrase, nothing will save you.

I was specifically answering to that misconception.

What you are describing now is completely different scenario, and for that 2FA will help.

Anyway, please don’t take it the wrong way, I am not attacking you in any way I am making sure you understand how the wallet and blockchain works so everyone can be safer.

1 Like

Metamask must be safer. Metamask extremely needs a 2FA.

2 Likes

Yes - I stand corrected. Currently, if a hacker has the seed phrase, you are toast. Ideally, the seed phrase could be hashed by the 2FA to protect even the seed phrase. This would protect your seed phrase from attack as well.

3 Likes

Please add this.
2fa for every transaction.
An email verification for every transaction. At least give us something to control and verify for every transaction. There are so many reports of stolen assets lately, it is scary.

2 Likes

Thanks for the post.

MetaMask is non custodial. This means that 2fa won’t work with it. At best it will provide you with a false sense of security:

What you need is a hardware wallet:

2 Likes

Sorry for your lost guys. Same thing just happened to me too, I lost 1K worth of ETH from Metamask, so I extremely agree with 2 FA security on Metamask.
But just wondering do you guys get your coin/money back? where we ca nreport this “robbery”?

1 Like

I feel it’s safer for us and our wallet

2 Factor Authentication has been discussed with the MetaMask team and it is currently not a feature that has been decided to move further into development.

Please refer to the post below for more information :point_down: