You are viewing a single comment's thread from:
RE: How I got 'hacked', recovered my accounts and improved the Steemit account security
It does not hurt to have the option to add another layer of security such as 2FA and let users decide if they should activate it or not. But even adding 2FA support can be trickier as if not properly implemented such as a case where you can login and disable it if you manage to get the password, without having to enter the 2FA code geneated on your smartphone, then it is rather pointless. For example if you just enable 2FA security for wallet related operations, but it is not required for you to login in your account...
2FA does not protect you from a stolen private key. This is why ideally you would keep the password somewhere safe, and only login to steemit with your posting key.
Yes, I know you can still use the private Owner key to import in the CLI wallet for example and run away with the SBD and STEEM tokens that a user has...
Using something like a U2F key, Trezor or Ledger would protect you from that, if the devs enabled support for it. Those devices can sign a transaction without ever exposing the private key to interception.