Multi-factor Authentication: Securing your account on LocalCoinSwap and across the Cryptoverse

. 4 min read

The feedback on the release notes for the beta platform are showing lots of praise for the evolving nature of the UI on LocalCoinSwap, and the way the tools are being regularly updated to create an interface which is straightforward, intuitive and fun to use.  But under the surface there is a great deal more going on as you may imagine, and one update which was pushed out in recent weeks was the introduction of multi-factor authentication (MFA) on user accounts.

Security is fundamental for carrying out any kind of online activity safely, and cryptocurrency transactions are in a league of their own - being irreversible and pseudonymous, there are so many depressing anecdotes of hacking, phishing, or simple mistakes resulting in coins and tokens being lost or missent. It’s a huge responsibility for LocalCoinSwap, being the nexus through which peer-to-peer transactions in crypto and fiat are being continually sent, and it’s something the developers were keen to ensure was of the highest standards from the outset.

But the challenge with online security is, it still as to be user-friendly. If it’s too onerous to get into something, people will not use it, or they’ll work round it and effectively break its usefulness. Ask any IT support worker in a large organisation with a complex password policy, how many people keep their passwords in super-secret places like a post-it note on the wall or under their desk… the IT person can usually get in without any problems, because they know exactly where to look, to reset whatever the user has messed up.

Outside of the office it’s much the same, with an extremely low percentage of online users taking the time to set up password managers, and use really long strong and unique passwords on every site they use (as LocalCoinSwap advises you to do when you set up your account). The problem with passwords though is that even when used by conscientious and aware people, they can still get compromised - if passwords are phished, or captured by keylogging malware, for example.  LocalCoinSwap users, as crypto-traders, deserve better.

So, as passwords are no longer enough to protect us, nowadays more and more systems are moving towards multi-factor authentication (MFA), to strengthen the point of access to any sensitive accounts or information by requiring something in addition to a username and password.

The username and password is something you know. Other kinds of login data fall into this category as well, such as security questions like your mother’s maiden name or first pet’s name - these are often used to trigger resets for passwords, but as such they are not multi-factor, they’re all pieces of information that are known or unknown (and if a hacker/phisher can find out one, they can often find out the rest pretty easily).

So to beef this up, the next stage is to add something you own, which must be used in combination with the things you know. A thief would need to control access to both, in order to do damage, and it greatly reduces your risks of falling prey to this kind of attack. Your bank might have provided you with a bespoke card reader, as an example of this category of protection.

And it’s why LocalCoinSwap have added integration with Google Authenticator, via an app on your smartphone. Yours only - the device you scan the QR code on the exchange with, will be required every time you log in, in future.

Authentication works by creating a timed one-time password, which is displayed on your phone screen and entered by you into the exchange, at the point of logging in. The password generated by Authenticator lasts for 30 seconds, before it times out and is replaced - which is long enough for you to enter the 6 digits and log in (and it flashes red in the last few seconds before it changes, so you know to wait for the new code then before you log in).

By combining something you know with something you have, it creates a much stronger barrier to anyone seeking to gain unauthorised access to your account. This is two-factor authentication, 2FA, and it is (or should be) impossible to log into any bank or crypto exchange or anything that matters these days, without enabling and using it. (Your bank card reader works in a similar way to the app, generating a one-time code you then tap into the banking application)

You can even go one step further, and add something you are into the mix, as well as something you know and something you have.

Many banks and state-of-the art secure systems are now including biometric markers into their access tools, such as retina scanning, voice pattern recognition and even weird things like identifying you through the unique way you walk.  Institutional grade custodial solutions for crypto are already employing tools like this, but maybe you are too - if the phone you run your Authenticator app on has fingerprint or faceprint recognition.

This is truly multi-factor, because to compromise your account now the thief would need to know your passwords, have your phone with the Authenticator running, and have your finger or face, in order to unlock it.  Could it be done? Sure, potentially - this is a continual arms race, between the people whose role it is to protect us, and the groups who make it their role to continually break these things. The world’s most secret secrets are probably protected with multiple other layers of security we couldn’t even name, because they are such ripe targets.

For most of us though, we’re more likely to fall victim to casual or opportunistic attempts to penetrate our defenses, such as a hacker buying a large batch of email and password combinations on the dark web and brute-forcing them at every online bank site… They’ll get lucky, with someone who has re-used the same password in multiple places (and depressingly, that is still most likely to be the ever-popular “password”). They’re the low-hanging fruit making easy pickings, like the person who leaves their ground floor window open for burglars - enough people do this, that the casual thief will rarely try their luck on the house next door with the alarm visibly fitted.

It’s easy and low-hassle to protect crypto assets with multi-factor authentication, and responsible sites like LocalCoinSwap will increasingly require it as a condition of use. Don’t be the equivalent of the person with the door key under the mat, or the word ‘password’ stuck on a post-it on the back of their monitor…

You’re smarter than that!