To make the KC app more secure, Charvel and I have been on discord discussing coding the logout button to actually logout instead of deleting the wallet. Then use biometrics to login each time the app is used. 2FA could be optional for those who want even stronger security.
Is this something we could vote on for implementation?
Fubar said this could be up voted to become an official proposal.
Hope we get somewhere with it. I wouldn’t mind being able to leave my tokens in the KC app wallet if I knew they were safer. We need to be able to log out and cut the connection when not in use. Then login to do transactions.
I am fairly new to the crypto scene but I trust in you guys when you make the call outs on where the security risks are currently. I am in favor of this becoming a proposal. If making it more secure means we have more holders, then I think it’s an easy win.
The more secure the KC wallet is, the more likely token holders will leave them there. This could also lead to staking through the wallet, etc
For right now though being able to log out of the app without deleting the wallet and then being able to log back in when we want to use it, would be a great start.
Totally agree wirh this , a biometric log in wallet which runs open 24/7 is not a good look. If KC wallets suffer an attack because of an exploit it could really set the game back
interesting, security is definitely important.
the app does already require biometrics to send tokens. is there something else you’re worried about?
That seems like a sufficient layer of security
Highly important issue !! KC must take care of secure the app asap.
The issue a few of us have with the KC wallet app is that it runs 100% of the time in the background on our phone. Plus it is linked up to the wallet continually.
Most other wallets out there require a login for access to the wallet and then extra security, which includes biometrics and 2fa, in order to do any transactions. Then you can log out of the wallet to sever the connection.
Theoretically, if the KC app blade module was to be hacked somehow, the intruder would have access to every blade wallet attached to KC. Maybe nothing would happen or maybe they would learn how to steal a bunch of tokens, I’m really not sure. I do know that a lot of this is going on out there and people have to be very very careful. So I am one of the people that really believes that a secure wallet is paramount when dealing with any crypto.
These reasons are why I brought the subject up.
There is 2FA to send which is sufficient layer of security its something you have (device) and something you know (password and or bio-metrics) so essentially for it to be stolen the person would need your device (or seed phrase)and your password, face, or fingerprint! Research security on Hedera! It is enterprise level auditing! They plan on working with the Central Banks of the world so it has to be a tight envelope. There was an exploit on Hedera last year that came from the implementation/migration of EVM to HTS and derived from Uniswap v2 on Ethereum code on the DEX Saucerswap . Do what makes you feel comfortable, read up on current security audits and practices to keep yourself informed and protected! Physical security is the first layer If your phone has a layer of security then that makes 2 layers just to get your tokens and the mathematical odds are slim. https://bladewallet.io/ " Blade Wallet is the only third-party audited, regularly security tested, self-custody Web3 wallet on Hedera. Blade Wallet is designed to be the most simple, seamless and secure way to engage in Web3 activities."
Here is the linlk for blade wallet security audit for anyone interested! Blade Labs - CertiK Skynet Project Insight
Thank you for the detailed response and information. I will definitely look it up and educate myself some more about the blade wallet and hedera. Every other wallet I’ve dealt with over several years, including hardware wallets and their accompanying apps or software, has had a log in and log out function. As do most Enterprise level administration servers. I’m sure there’s a reason for that.
logging in and out is a function for a user profile in an OS or an application! The developers are ultimately the ones who can answer why the app functions the way it does! As far as i can see it stays logged in as i have chosen to do on other apps. I never log out of my wallets i just close them which kills the process unless you allow applications to run in the background! Cheers hope i was more of a blessing than a burden
A blessing for sure
It’s these types of interactions that helps make a community based project better in every way. We should be talking about these types of things as we all have some skin in the game at this point.
I like your point about making sure the app doesn’t run in the background, but not everybody knows how to accomplish this. I know how to do this myself and I agree that it would help. A required login and automatic logout after using the app just makes it easy to ensure it severs the connection. I personally don’t like “always connected wallets”, but that may just be me, lol.
Having good discussions on topics is how a community grows. I appreciate your input.
I guess what I’m trying to say is that mobile phone OS and apps can be glitchy. I don’t want to put the responsibility of severing my connection into the hands of either one of those. I personally like the extra security of being able to log out and sever the connection myself.
We could have a quick log in such as bio or a pin or whatever the choices would be for a quick login. Then people that just want to rely on their phone to kill the process still can and those of us that would like the extra security of being able to log out and manually kill the process would be able to do so as well. I don’t really think it would be too hard to implement and it wouldn’t really inconvenience anybody that much.
I hope more people chime in, right now it looks like there’s only about three of us, lol
tbh, since this is a non-custodial wallet, i dont think logging out protects you from anything material.
the private key is stored on your phone and keychain, whether you are logged in or not.
Right now the private key is encrypted on the app.
Every time you do the Biometric authentication you’re effectively logging in. Without this the private key remains encrypted, even to the app itself.
Since this is a non-custodial wallet, the only way to “logout” is through the destruction of the private key.
Adding a passcode or 2FA would only be another encryption step in addition to the biometric based encryption.
The wallet isn’t always connected nor running in the background. If the KC Blade module is hacked, they would need to target individual KC devices in order to drain the funds because it’s non-custodial----there is no central server with the private keys or communication.
The App signs the message and sends it to the network. The private key is never disclosed to anyone over a network or to any other service across the device
Thank you for your response. There was a lot of good information in it.
I am familiar with other non-custodial wallets and apps. A log out or lock app feature (as some call it) is another level of physical security at the app level. This requires a passcode or biometrics to even get into the app interface. This is how ledger live does their app on mobile devices. You can choose to lock the app so that it must be unlocked to be used. This is achieved without destroying any keys. And ledger live app is a non-custodial platform as well.
Again this slight extra layer of security may not mean much to everyone else. I just prefer to be a secure as possible with all of the hacks and thieves that are out there.
Again thank you for your input. I learned something about the wallet that I did not know before.
No problem. The lock feature is a good idea. Will put it on the roadmap.