Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Please, add the possibility to use Google Authenticator and/or Yubikey 2FA to secure transactions #292
As we have no servers, there is no way to add Google Authenticator or other 2FA providers.
The entire point of 2FA is to require a server to not give access unless 3 pieces of information are given: username, password, correct answer to 2fa challenge.
This is NOT how MyEtherWallet nor Ethereum works.
MyEtherWallet allows YOU via YOUR BROWSER to sign transactions with your private key and broadcast them to the network. The Ethereum network - the blockchain itself - takes the address associated with this transaction and "moves" the ETH from that address to the address you specify in the transaction. There are no servers involved.
The password only comes into play when decrypting an encrypted private key. Again, this password is not going to a server somewhere or the blockchain or anything. Your browser attempts to decrypt the file you give it with the password you also give it. If it works, it works and you have a private key and you can sign a transaction. If it doesn't, it assumes the password is wrong, and you don't have a key.
In order to activate 2FA, we would have to store your key on our servers. Even with 2FA, this is far LESS secure (not to mention, far more centralized) than our current method of never saving, storing, or transmitting your private key ever.
And this is a very key difference. In this case, one of your private keys is stored on a server. You can only not have your keys compromised if you don't keep both keys on your computer. While this is great in theory, in reality using an online service to provide you with 2 keys means that both keys are on your internet-connected device at some point. So if the site is compromised at any point & your 2 keys are compromised upon generation, you're still fucked. And if you store both keys on your computer and your computer is compromised, you're still fucked. And if the server is compromised and one of your keys is compromised, again, you're fucked.
Ether.li attempted to do 2-of-3 multisigs and there are a number of problems today:
Perhaps in the future when external services figure out how to estimate gas and the multisig and user ecosystem is more evolved, we will reconsider. At this point, there are about 10000 other things on our to-do list and this just isn't one of them. We have no interest in holding any keys or dealing with the myriad of security and support issues that come with it.
Even then, I would still recommend that an offline paper wallet + offline transactions or an dedicated device (Ledger) is going to be your safest & most decentralized option.