What is a two-factor authentication?
The two-factor authentication is a security scheme that prevents someone who has your login and password information from accessing your account. It implies that access requires two separate pieces of information, called factors, which belong exclusively to a legitimate user and are hard to fake. For instance, user ID, password, access key, digital signature, proof of possession for email or mobile phone or another device, one-time password, etc.
In Ambisafe Software, we use one-time passwords sent to a user’s email as an additional factor in the authentication process.
When is 2FA required?
CryptoWallet and AmbiVault would check 2 factors every 30 minutes to perform any of the following operations if a user's account balance is not equal to zero:
- Sign in
- Password change
- Enable or disable the mobile app (Google Authenticator/Authy) 2FA
- Email change
- Fund transfer
- P2P exchange order creation
How does it work?
When users create a CryptoWallet or AmbiVault account they should:
- Fill in the registration form.
- Provide an email address and confirm it.
- Install a 2FA application (e.g. Google Authenticator - https://support.google.com/accounts/answer/1066447) on their smartphones and link it to the account in security settings. CryptoWallet and AmbiVault will require a one-time password (OTP) from this application.
The 2FA is considered as set for the account. Since this moment, when users want to log in to CryptoWallet or AmbisVault or to perform any of the actions listed above, they should:
- Provide their email and password.
- Open an application to get a one-time password (OTP).
- Provide the received code to confirm their right for access or performance of any action within the account.
Alice has registered, confirmed her email and is logging into the CryptoWallet for the first time using her email address and password. The 2FA is not requested here since the user's balance is zero.
Alice sends her address to Bob and receives an incoming token transfer. She wants to send some of the tokens back to Bob. The CryptoWallet would ask for an OTP confirmation via email since the last check was undefined minutes ago (actually, it never happened) and 2FA via smartphone application was not enabled. When she receives the code, Alice provides it and confirms the transfer of tokens to Bob’s address.
Why is 2FA needed?
We should expect that a user may forget or lose some of the login credentials due to undetermined circumstances at an unknown time in the future because it is what's happening every day. Therefore, we need to follow the 2-factor authentication scheme to make accounts relatively safe even if some of the factors are leaked to hackers or lost.