2 Factor Authentication

ElonWest · September 9, 2021, 6:14pm

Can we post a bounty to get this feature added?

ElonWest · September 9, 2021, 8:49pm

With 2-factor using an external authenticator like a smartphone, it does not matter if the hacker has your seed phrase, computer password, meta-mask password, or any other password. The hacker would have to have your 2-factor seed key from your authenticator which is not stored on your computer.

zxc4586 · September 13, 2021, 12:34pm

much needed feature needed feature:lock:

pdjhh · September 13, 2021, 9:30pm

Yes but you can only add tokens that that hardware wallet supports isn’t that right? So if you buy a good amount of a microcap (which is a typical use case for metamask) then you’re stuck with them there. I would like an email sent for 2fa on any metmask withdrawal. Looks like a major flaw but happy to be told otherwise.

pdjhh · September 13, 2021, 9:31pm

You don’t need the seedphrase with keyboard logging malware. And per @cbayschm helpful comment - after using your seedphrase (private key) then the local metamask is permitted to fully interact with the ‘blockchain wallet’. So if that permitted metamask is compromised (through keyboard logger or similar local malware) then the hacker has full access to your blockchain wallet by proxying through your local metamask.

cbayschm · September 15, 2021, 2:13am

your misconception is that you need metamask to control your account, and that is not the reality, your wallet is in the blockchain, Metamask is only a user interface to interact with it, but the seedphrase/private key is to interact with the blockchain. You would need to add 2FA to the blockchain to avoid what you are saying, but if someone has you seedphrase/private key, even if you have 2FA on Metamask, they can still get to your funds, they can interact with the blockchain directly, without using Metamask.

I repeat, Metamask is only a user interface to interact with your wallet, which is in the blockchain, you can take your seedphrase or private key and add the same wallet to any other program like Trustwallet, Huobi Wallet, Coin98 wallet… any wallet program.

So adding 2FA to Metamask is only adding protection to the user interface, not the wallet. I hope this is more clear.

cbayschm · September 15, 2021, 2:18am

No, I use Ledger Nano X connected to Metamask (on Web extension on PC) and interact with my hardware wallet through Metamask. This way, even if the Wallet program that you use with the hardware wallet does not support the tokens, using Metamask, you can interact with the tokens like if you where using Metamask with a non-hardware wallet. The only difference is, since the private key is not in your computer, every time you need to accept a transaction on Metamask, the transaction has to be accepted on the hardware wallet.

Right now this is the only REAL way to avoid hacks.

ElonWest · September 15, 2021, 4:48am

Your misconception is that 2FA cannot be used to prevent metamask hacks. The point of 2FA is to prevent someone who has gained access to your PC and your metamask password. Once they have those two things, they can 1) send all your funds or 2) reveal the seed phrase and open your account on another machine. The point of having metamask include a 2FA step is the hacker would need to get access to your 2FA device (phone or other) in order to reveal the seed phrase or send funds from your metamask.

A common hack with SMS has been to goto a cell provider like ATT and switch your phone SIM to their SIM so 2FA with SMS was compromised. I had that hack happen to me several times and they never got my funds because my account was always protected by 2FA using Authenticator or other 2FA software.

cbayschm · September 15, 2021, 11:52am

I know this, but you specifcally said in you post that it didn’t matter that they had your seed phrase, they couldnt get your wallet with 2FA, that is completely wrong, if they have your seed phrase, nothing will save you.

I was specifically answering to that misconception.

What you are describing now is completely different scenario, and for that 2FA will help.

Anyway, please don’t take it the wrong way, I am not attacking you in any way I am making sure you understand how the wallet and blockchain works so everyone can be safer.

yay3 · September 15, 2021, 6:31pm

Metamask must be safer. Metamask extremely needs a 2FA.

ElonWest · September 15, 2021, 7:10pm

Yes - I stand corrected. Currently, if a hacker has the seed phrase, you are toast. Ideally, the seed phrase could be hashed by the 2FA to protect even the seed phrase. This would protect your seed phrase from attack as well.

Yyyyyy · September 21, 2021, 11:11am

Please add this.
2fa for every transaction.
An email verification for every transaction. At least give us something to control and verify for every transaction. There are so many reports of stolen assets lately, it is scary.

CryptoHamilton · September 28, 2021, 9:28pm

Thanks for the post.

MetaMask is non custodial. This means that 2fa won’t work with it. At best it will provide you with a false sense of security:

What you need is a hardware wallet:

baktislam · October 9, 2021, 11:06pm

Sorry for your lost guys. Same thing just happened to me too, I lost 1K worth of ETH from Metamask, so I extremely agree with 2 FA security on Metamask.
But just wondering do you guys get your coin/money back? where we ca nreport this “robbery”?

Bolix37 · November 12, 2021, 6:09pm

I feel it’s safer for us and our wallet

nakedwinnie · December 1, 2021, 3:12pm

2 Factor Authentication has been discussed with the MetaMask team and it is currently not a feature that has been decided to move further into development.

Please refer to the post below for more information