Can we post a bounty to get this feature added?
With 2-factor using an external authenticator like a smartphone, it does not matter if the hacker has your seed phrase, computer password, meta-mask password, or any other password. The hacker would have to have your 2-factor seed key from your authenticator which is not stored on your computer.
much needed feature needed feature:lock:
Yes but you can only add tokens that that hardware wallet supports isn’t that right? So if you buy a good amount of a microcap (which is a typical use case for metamask) then you’re stuck with them there. I would like an email sent for 2fa on any metmask withdrawal. Looks like a major flaw but happy to be told otherwise.
You don’t need the seedphrase with keyboard logging malware. And per @cbayschm helpful comment - after using your seedphrase (private key) then the local metamask is permitted to fully interact with the ‘blockchain wallet’. So if that permitted metamask is compromised (through keyboard logger or similar local malware) then the hacker has full access to your blockchain wallet by proxying through your local metamask.
your misconception is that you need metamask to control your account, and that is not the reality, your wallet is in the blockchain, Metamask is only a user interface to interact with it, but the seedphrase/private key is to interact with the blockchain. You would need to add 2FA to the blockchain to avoid what you are saying, but if someone has you seedphrase/private key, even if you have 2FA on Metamask, they can still get to your funds, they can interact with the blockchain directly, without using Metamask.
I repeat, Metamask is only a user interface to interact with your wallet, which is in the blockchain, you can take your seedphrase or private key and add the same wallet to any other program like Trustwallet, Huobi Wallet, Coin98 wallet… any wallet program.
So adding 2FA to Metamask is only adding protection to the user interface, not the wallet. I hope this is more clear.
No, I use Ledger Nano X connected to Metamask (on Web extension on PC) and interact with my hardware wallet through Metamask. This way, even if the Wallet program that you use with the hardware wallet does not support the tokens, using Metamask, you can interact with the tokens like if you where using Metamask with a non-hardware wallet. The only difference is, since the private key is not in your computer, every time you need to accept a transaction on Metamask, the transaction has to be accepted on the hardware wallet.
Right now this is the only REAL way to avoid hacks.
Your misconception is that 2FA cannot be used to prevent metamask hacks. The point of 2FA is to prevent someone who has gained access to your PC and your metamask password. Once they have those two things, they can 1) send all your funds or 2) reveal the seed phrase and open your account on another machine. The point of having metamask include a 2FA step is the hacker would need to get access to your 2FA device (phone or other) in order to reveal the seed phrase or send funds from your metamask.
A common hack with SMS has been to goto a cell provider like ATT and switch your phone SIM to their SIM so 2FA with SMS was compromised. I had that hack happen to me several times and they never got my funds because my account was always protected by 2FA using Authenticator or other 2FA software.
I know this, but you specifcally said in you post that it didn’t matter that they had your seed phrase, they couldnt get your wallet with 2FA, that is completely wrong, if they have your seed phrase, nothing will save you.
I was specifically answering to that misconception.
What you are describing now is completely different scenario, and for that 2FA will help.
Anyway, please don’t take it the wrong way, I am not attacking you in any way I am making sure you understand how the wallet and blockchain works so everyone can be safer.
Metamask must be safer. Metamask extremely needs a 2FA.
Yes - I stand corrected. Currently, if a hacker has the seed phrase, you are toast. Ideally, the seed phrase could be hashed by the 2FA to protect even the seed phrase. This would protect your seed phrase from attack as well.
Please add this.
2fa for every transaction.
An email verification for every transaction. At least give us something to control and verify for every transaction. There are so many reports of stolen assets lately, it is scary.