Stay secure with SwissBorg's 2FA

Many of our users have requested that we implement two-factor authentication. However, since the beginning, SwissBorg's authentication process has been protected with 2FA and you might not even know it! This article dives into the login process in the SwissBorg application and explains how it is already secured with 2FA.

What is 2FA?

Two-factor authentication (2FA) is the process of presenting two distinct forms of identification while accessing a protected resource (like an online account, or an application). By not relying only on a username and a password for authentication, attack vectors such as phishing attempts can easily be mitigated. 2FA verifies again your identity and if both checks pass, you will be able to access the protected service.

The use of 2FA has grown significantly in recent years. Why is that? For a long time, online services relied solely on passwords to secure user accounts. With the ever-growing number of websites and applications, people need to remember more and more passwords, leading to a situation where either you reuse the same password for your different logins or you opt for simpler ones to make them easier to remember. Also, even if you used strong and unique passwords for each of the services, those could still be exposed or leaked in a data breach. Last but not least, the number of phishing attempts has increased dramatically, even more so in the crypto-sphere, and the complexity of those attempts has increased as well.

Authentication factors

We have seen that the use of 2FA is very important and strongly encouraged in our widely connected world, but what can we use to present two forms of identification to an online service? We call those authentication factors and for online services and applications they typically fall into one of the following categories: 

• Something that you know: this could be a password, a PIN or even the answer to a specific question.
• Something that you possess: a smart card, your mobile phone for generating one-time passwords or a physical security key.
• Something that you are: this would be any biometrics that can be specifically linked to you, such as your fingerprint, your retina, your face, your finger veins etc.

By having to present two factors belonging to distinct categories to log into an online account, even if an attacker gets illegitimate access to one of them they won't be able to impersonate you. And it does not stop here. For very critical services you could be asked for many more than only two factors. This is what is known as multi-factor authentication (MFA).

How does 2FA work in practice?

After seeing how 2FA works to secure you and the types of factors that can identify someone, we will see how 2FA is mostly used in the wild. A usual process would be the following:

1. You navigate to the login page of the internet service. You will be requested to enter your username and password into the requested fields.
2. The server verifies this information and responds accordingly.
3. You are then asked for a second authentication factor. The most common form is a one-time password, but this could be any of the factors discussed above.
4. The server verifies this second authentication factor and grants you access to the service.

However secure, this process is better suited for web applications where you connect directly from your browser and not for mobile applications, like our SwissBorg app. There are more effective ways to leverage 2FA for our users and this is what we explain in the next part of this post.

2FA within the SwissBorg application

SwissBorg uses different types of credentials and information to verify users at different points of their account lifecycle. Let's first have a look into the different authentication factors that we use and then we will see how they act together to form a strong and secure 2FA login method.

The device key

The device key is the main authentication mechanism for our users and has been present since the beginning. When a user first installs and registers into the SwissBorg application, a cryptographic key is generated inside the trusted platform module of the mobile device. This allows the application to take advantage of the inherent properties of trusted platform modules that ensure that the key pair is generated in a secure way, that the private key is safely stored, and that it never ever leaves your device.

When you sign in to the application or perform important operations, such as transferring funds or making an exchange, this key is used to sign the request, proving that it originated from the mobile device you own. This signature is then verified by the SwissBorg system to ensure that it has not received a fraudulent request. The device key is your ”something you possess” factor.

The PIN

The PIN or Passphrase used in the SwissBorg application is either a four to six-digit code or a passphrase which can contain any characters. Under the hood, this code is instantly converted into a cryptographic key. It is then used in conjunction with the device key to add a second signature to some requests, such as sign-ins and withdrawals, adding another layer of security to those requests. Just like the device key, the PIN also never leaves your device.

In cases where the code is incorrect, the SwissBorg system will reject the request as the key derived from the incorrect code will not match the one recorded and, therefore, create an incorrect signature. This verification is combined with a limit on the number of incorrect attempts and a delay between them to prevent brute-force attacks. Once the limit is reached, the account will be locked and will require additional verifications.

For convenience, biometric verification can be used in place of the code. Behind the scenes, the cryptographic key derived from the code is stored in your device’s keychain and encrypted by the operating system using the biometric data. The device key acts as either the ”something you know” factor or the “something you are” factor.

Would the addition of one-time passwords increase security?

As we have seen in the previous sections, the SwissBorg application is indeed secured with two-factor authentication, with the factors being the device key and the PIN/Passphrase. Adding one more factor for authentication will always at least keep the same level of overall security. But would it increase the security? Let’s dig deeper into several scenarios.

• Let’s assume an attacker does not have access to your device where the SwissBorg app is installed. In this scenario, it is impossible for them to impersonate you. Remember that the device key is stored in the secure enclave of your device and never leaves it. Without your mobile device where you installed the SwissBorg app, no one can access your account.
• Let’s now assume that the attacker has access to your device. This scenario has two variations:

1. The attacker cannot unlock your device. Your SwissBorg account remains secure as they cannot reach the application.
2. The attacker can unlock your device. They can then open the SwissBorg app. To access your account they now need to insert the correct PIN/Passphrase.

You use a strong PIN (not your birthday, nor the one from your partner/kids/parents). Then the attacker has a 1 in 1,000,000 chance to unlock your SwissBorg account, in 9 tries.

You use a strong passphrase (a random string of at least 16 characters using a mix of letters, numbers and special characters). Then it would take centuries for the attacker to crack your passphrase.

The attacker can guess your PIN/Passphrase with high probability. Then adding a one-time password for accessing your account would not enhance security as the attacker will have access to it as they have your unlocked phone where your authenticator app is installed or where you can receive SMS and emails.

From the above scenario, we can easily see why adding a rolling code factor would not enhance the security of the SwissBorg application.

How users can improve their security

There are several steps users can take to increase the security of their wealth and data. These include:

1. Secure your application with a strong and unique passphrase. We recommend the use of a password manager, such as Proton Pass or Bitwarden.
2. Register a passkey in case you need to recover your SwissBorg account. We encourage users to adopt passkeys over traditional recovery methods like a recovery phrase or a manual recovery process.
3. Avoid clicking on links in emails from anybody you do not trust. Also, double-check the sender’s email address to make sure the email comes from the claimed sender.
4. Never share your personal information. When you are contacted by someone whether it’s over the phone, by email, or on social media, do not provide them with your PIN/passphrase, Recovery Phrase, private key, banking and credit card information, your birthdate, and Social Security/Social Insurance numbers.

SwissBorg is committed to providing our users with the highest level of security through our built-in two-factor authentication (2FA) system. By utilising both the device key and your chosen PIN or passphrase, we ensure that your account is well protected against unauthorised access. While many may think additional factors, like one-time passwords, could enhance security, our existing system is already designed to be robust, relying on cryptographic keys that never leave your device. We encourage our users to adopt strong passphrases, utilise passkeys, and remain vigilant against phishing attempts to further safeguard their assets. At SwissBorg, your security is our priority, allowing you to focus on what truly matters: growing your wealth in the world of cryptocurrency.