I originally starting writing this post as a comment to the recent blog post by Steemit called "Steemit to Update Password Policy". But it ended up being so long that I thought it was a little bit silly to keep it as just a really long comment standing out like a sore thumb in the discussion. So here is my full response to the post.
It has been repeatedly stated that we should offer multi-factor authentication for transactions. This would require our servers to co-sign every transaction. This is inconvenient for normal use and usually considered overkill for a social media platform.
I disagree that it is overkill. This isn't just a social media platform. It is also a platform that stores users' money.
I also disagree that it needs to lead to an inconvenient user experience.
I think the changes mentioned in the post are a great improvement and I am happy to see them. However, I think there is much more to do.
I think the randomly-generated password (owner password) that derives the owner key should be kept separate from the randomly-generated password (regular password) that derives the other keys, so that the user can keep that owner password offline. Users who derive all keys from one password can have their owner key compromised if their computer get hacked by something as simple as a keylogger. While the new account recovery system can allow them to recover their account in that situation, it can still be a big pain for them. If their computer was hacked, the hacker will likely also have compromised their Facebook and Reddit accounts (or email and there is even a possibility of a dedicated hacker compromising their SMS through various tricks or vulnerabilities that are already known by the public). So one cannot rely on Steemit's current automated account recovery in that situation. They would be forced to manually work with their account's recovery agent (likely Steemit) and provide real-world proof of identity just to be able to get back in control of their account. Also, this entire complicated process needs to be completed within 30 days of the attack (not 30 days from when the user notices the attack, but 30 days from when the attack was initiated).
I think it is much better to avoid depending on account recovery too much (it should be something more like a last resort) and instead force users follow the proper security procedures and keep a separate randomly-generated owner password offline which will only be used in the limited scenarios when an owner authority is absolutely necessary. However, this alone can actually put the average user in more danger because a password they do not deal with on a regular basis is a password that is more likely to get lost over time. And the account recovery mechanism cannot help users if they lose their owner keys. So, I think the default owner authority for users registering on steemit.com should be the following:
With the above owner authority, users have full independent control of their account as long as they maintain exclusive control of their offline owner password. They can change the keys of their account and migrate to other clients and services without any problem, even if Steemit the company disappeared. If that owner password was somehow compromised (maybe burglary or maybe an untrustworthy friend, roommate, lover?) and their account's owner authority was changed, they can still use that owner password along with alternative identity verification (Facebook/Reddit link, Email + SMS link, or real ID verification) and work with Steemit to recover their account.
If they lose access to the owner password (let's say they only wrote it down on a piece of a paper they kept in their home and it was stolen or their house burned down), then they still have a mechanism to get back access to their account. They can use their regular password (which was still randomly generated by steemit.com by the way) and work with Steemit by providing real ID verification (Steemit relying on Facebook/Reddit/Email/SMS is no longer good enough in this situation) to gain back access to their account. If everything is properly verified, Steemit would use the multiple cold active keys of the "steemit-cold" account to sign the
update_account transaction on multiple air-gapped computers. This would obviously be a manual and hopefully rare process, and Steemit could charge the user a fee for providing this service. Even if the keys of the "steemit-cold" account were to be somehow compromised, users are still protected as long as their regular password wasn't also simultaneously compromised (i.e. assuming their personal computers weren't also hacked).
Now if they also lose their regular password in addition to their owner password, then there is nothing Steemit can do to help them get back their account under the current system. However, I believe the blockchain should have support for will / dead-man switches, which is an incredibly useful feature on its own, but could, if designed properly, also act as a mechanism to allow the user to get back control of their account after waiting for some period of time of account inactivity. This would of course be an optional feature for Steem accounts, but Steemit could automatically opt-in users they register into sensible defaults unless overridden explicitly by the user. I'll talk more about this will / dead-man switch feature later, but the conclusion with the sensible defaults for such a feature would be that Steemit could help users recover access to their accounts after waiting for a few months to at most 1 year (depending on whether a hacker had access to the user's active keys or not, and of course assuming the hacker did not have access to the owner password), but at the same time a malicious (or compromised) Steemit could not unilaterally take over a user's account as long as the user proved active key possession (by for example making a payment transfer) every couple of months and proved owner key possession (by for example changing their owner keys) at least twice a year.
Finally, I can now discuss two-factor authentication and multisig. The above is all about how the user can securely maintain ownership of their account under various scenarios. But under normal usage, they want to be able to use their regular password to do all the things they expect to be able to do with the platform: post/edit, vote, transfer money, use the market, etc.
Ideally, someone with access to only their regular password alone could not just do all of those actions (which can all cost the user money). Another XSS exploit on steemit.com could allow the hacker to get their posting key and take away the user's pending curation rewards that they may have worked hard for, or deface their highly upvoted post leading to voters retracting their votes and thus preventing the user from realizing the payout they were expecting. A hacker that gets a keylogger on a user's computer can compromise their active key the next time the user authorizes a transfer, which the hacker could then use to immediately drain all of the user's liquid funds (I know the future time-locked savings feature will help mitigate this, but users will still keep some funds in their checking account for quick and convenient access). That is why multisig (and 2FA) is so important. It requires the hacker to simultaneously compromise more than one of the user's computing devices (or even if they compromise Steemit's servers, they still need to wait until a user uses the compromised website before they can do any damage to that user).
I think by default the user's active authority should be
and their posting authority should be
which then allows the online "steem" account to provide 2FA services to the user. This could be done in the typical way using SMS codes or TOTP (time-based one-time passwords). You could even provide basic TOTP 2FA for free to all users, but require any additional 2FA services for a fee (especially SMS since each SMS would cost Steemit money). Premium 2FA services could allow users to set all kinds of fancy quotas, limits, and monitoring services as well as additional authorization mechanisms to use under certain scenarios, so that they can find their ideal trade-off between security and convenience.
The 2FA does not have to be mandatory, but the basic level of 2FA should be highly suggested and should require the user to explicitly opt-out of the process when registering, if they choose to do so, after reading a warning about why it is not a good idea. The basic 2FA setup would help the user setup a TOTP app on their smartphones. It would by default be set up to require TOTP authorization for each transfer of funds as well as other operations that require active authority (other than market operations which ideally will have their own market authority anyway). For user convenience, the default setup would not require TOTP authorization for new votes on posts, for creating new posts/comments, or for editing a post/comment within one hour of its creation; however, it would require TOTP authorization for editing a post/comment after that one hour and for changing an existing vote. This default setup does not do much to harm their user experience but makes a substantial improvement in security.