A Major Area of improvement I would like to see on the Steemit Platform - Account Security and Posting Key Functionality
As Steemit grows, and the wallet balances of the accounts on the platform keeps increasing, the security of those funds is becoming more and more important. Earlier this week there was an incident where a number of users woke up to find that their liquid Steem and SBD had been transferred out of their accounts. There appears to have been a security breach somewhere, and the weakness had been exploited to steal from the accounts.
Not everyone wants to lock their Steem and SBD away into savings or SEEM POWER, and need at least some liquidity in their accounts, and one of the biggest factors when considering investing in a platform is the security of those liquid funds, as well as having a suitable level of functionality which does not sacrifice security to complete day-to-day tasks on the platform.
What we need on Steemit is a revision of the security of the platform, and an improvement of the functionality of the lower power Posting Key to make capable of performing task which most Steemians do on a daily basis. Here is my recommendation:
The Current State of Security on Steemit:
Steemit recommends that you always login with your posting key, and keep your Active and Owner Keys, and Master password saved away somewhere secure. Every key carries a set of task which it is permitted to perform. Here is a table of what tasks each key is permitted to perform:
| Task | Posting Key | Active Key | Owner Key |
|---|---|---|---|
| Post, Comment, Resteem, upvote, follow, mute, edit posts and comments | Y | Y | Y |
| Transfer funds, Power up/down, convert SBD, Vote for Witness, Update profile details and avatar, Placing market orders, Redeem Rewards | N | Y | Y |
| Change Account Keys | N | N | Y |
The Problem
one of the problems here is that your posting key limits what you can don Steemit to just a few tasks. With Steemit being a rewards-based platform, and your Voting Strength being determined by your SEEM POWER balance, we need to be able to redeem our rewards. To do this, we have to login with either our Active or Owner keys.
We also use the transfer function when using the various bots out there where you either bid for or buy upvotes. A lot of people communicate with each other by transferring 0.001SBD and sending a memo. I can therefore assume that most of us are logging on with our more powerful keys, which is not ideal, but is the most convenient option.
The second problem is that may, many users have unwittingly published their private active or owner keys in the memo field when transferring funds to or from the exchanges. This has created a lot of risk of accounts being compromised, and users falling victim to others of dubious character.
The Solution
My proposed solution comes in three parts to address both the functionality of the keys, and the security of the more powerful keys:
- Add functionality to the Posting Key:
Adding the ability to redeem our author and curation rewards with our Posting Key will increase the functionality of the key to such a level that covers the core daily functions required by most users. - Add a Whitelist of accounts you can transfers fund to using your Posting Key:
By doing this, users will be able to maintain a list of accounts they frequently transfer funds to, and enable transfers to them using your Posting Key. Whitelist Maintenance can then only be done by logging in with your Active or Owner Keys. - Add the option of 2-Factor Authentication on Active and Owner Keys, and Master Password:
This is a measure which NEEDS to be implemented given the number of inexperienced users who keep posting their keys in memos of transfers. If 1 and 2 are implemented, 2FA for the higher keys, by way of email or text message makes the platform that much more secure, and reduces the need to login with your Super Keys significantly. It will also notify the account holder if someone has gained access to their private keys and has attempted to login with them
I believe that using your Posting Key is the most secure option logging into Steemit on a daily basis. The problem is that its scope of functionality is not sufficient for the majority of users, and they are forced to login with the more powerful keys to make their user experience better. The above changes make for a far better user experience, and a much tighter implementation of security on Steemit.
Thanks for taking the time to read my suggestions. This is intended to promote discussion and awareness of the need to maintain a high level of security of our accounts. I look forward to your views and comments.
All good ideas!
A whitelist would be great!
So would a blacklist for that matter...
Cheers
I agree with you 100% Especially points 2 and 3. A whitelist is crucial and also 2 factor authentication.
Good suggestions. I'd really like to see a cold storage wallet be implemented somehow. I use one for other major cryptos and it makes me feel all warm and fuzzy at night knowing my funds are secure. I always get a bit twitchy when I log into the Steemit site with my active key.
I really like the 2FA idea.
Some really valid points made there @bmj i hope it draws some attention. 👌😎
Some great ideas in this post, I hope it get seen by those who can make changes
This wonderful post has received a bellyrub 1.62 % upvote from @bellyrub thanks to this cool cat: @bmj. My pops @zeartul is one of your top steemit witness, if you like my bellyrubs please go vote for him, if you love what he is doing vote for this comment as well.
Security is always a major factor,new arrivals take awhile to learn where they are and what they are meant for, so making it safer is the way to go.
Everything should have the option of 2FA I think. And not that stupid mobile phone SMS 2FA that all the banks think are at the cutting edge of online security.
Another idea is to do what the mainstream bank do, and that is use a daily withdrawal limit that can perhaps be set by the active or owner key, but only allows withdrawals to a point. Most of my transactions are 10 SBD or less.