Authentication factors can be roughly divided into a) something you know, b) something you have and c) something you are. Adding different factors increases your security more than adding another request of the same type. In this article we'll analyze the most common authentication methods and why Koala Wallet decided to use or not use each one as 2FA.
✅ Password / PIN
This is Koala Wallet's primary authentication method. Every wallet must have a PIN set up during creation, so no device is ever left unprotected. It's the prime example of "something you know". It can be memorized and/or written down, making it completely separate from an un-protected device
This method is also available in Koala Wallet. It is optional and can replace the PIN in most cases. It uses the devices' built in fingerprint or facial sensors and has a good tradeoff between security and convenience. It's categorized as "something you are" so it's very hard to ever lose it.
❌ OTP / Time-based codes
OTP codes change every few seconds and are popularly used with Google Authenticator or Authy apps. Since both Koala Wallet and the authenticator app will most likely be used on the same device, using OTP as a second factor authentication method doesn't provide substantial security benefits. Category: something you have
❌ Email / SMS code
Having email or SMS as second factor would mean having a database linking users' email addresses or phone numbers to their KDA accounts. Not only is this a privacy risk, it also doesn't provide meaningful security benefits when most users would have Koala Wallet installed on the same device that will receive the authentication code. Category: something you have
❔ Hardware token
Devices like Yubikey or Titan Security Key are hardware authentication devices that must be connected to your phone via USB or Bluetooth. These are the strongest examples of "something you have". Koala Wallet is exploring adding support for these types of tokens.
It's important to note that Koala Wallet is non custodial. This means that users are in full control of their assets via their recovery phrase. It's impossible to prevent a transaction from being made by the holder of the account's private key. All possible authentication methods are software based and apply only to an instance of the app.
Article is closed for comments.