TxAuthenticator

INSPIRATION: TxAuthenticator was inspired by the high incidence of cryptocurrency thefts, which in 2022, totalled $3.8 billion. These thefts predominantly resulted from:

• Phishing attacks leading to private key theft from self-custodied Ethereum wallets; or,
• Users being tricked into approving malicious contracts.

Despite the existence of hardware wallets, not all crypto users use them regularly, and they come with their own vulnerabilities. 2FA and spending limits are common security features in traditional financial platforms, are absent in self-custodied Ethereum wallets. TxAuthenticator fills this gap, bringing the security of physical 2FA with security keys to digital wallet users.

ABOUT: TxAuthenticator uses advanced two-factor authentication (2FA) mechanisms to provide additional security for self-custodied Ethereum wallet transactions. It brings together daily transaction limits and YubiKey verification (for amounts higher than the daily limit) to create a personalized and robust security system. Here are some key aspects:

• Setup and Deployment: Users access a web application to set their own daily transaction limit. Amounts under this limit do not require authentication. The user links a security key (YubiKey) to authorize transactions that exceed this limit. These parameters are then deployed to a smart contract, creating a secure vault for users to deposit their funds.

• 2FA Verification: For transactions above the daily limit, users receive a notification via XMTP, requesting YubiKey verification. Once the user verifies the transaction with their YubiKey/NFC device, the system combines this signature with the original transaction data and pushes the transaction to the main Ethereum network.

• Transaction Completion: After verification, the funds are sent to the recipient's address from the smart contract vault.

Benefits of TxAuthenticator include:

• Added layer of security for self-custodied web-based wallets like MetaMask and Wallet Connect.
• Hybrid security solution when a hardware wallet is not available.
• Protection of funds deposited in the smart contract vault, safeguarding them from potential hacking attempts without the YubiKey.
• Physical protection against complete loss of funds in the event of a hack / phishing, even when the private key is exposed to the hacker.

TECH SPECS:

• Smart Contract: Created a smart contract in solidity that adds an allowance per day of funds, and anything over will need to be authenticated with a yubikey.
• 2FA Request via XMTP: Communication between a backend and a frontend using XMTP. XMTP can also be used to send a message to a device (like a mobile phone) to request a 2FA.
• Front-end: Frontend to make the registration and management of the wallet easy. A user can: -- Connect via WalletConnect or the new Metamask SDK -- Set a daily spending limit -- Register their YubiKey -- Secure their funds in a 'vault' -- Initiate fund transfers from the vault -- Authenticate transfers above daily limit with YubiKey

** Ideal flow (future): A transaction is initiated from a laptop, and XMTP sends a notification to your mobile device requesting 2FA completion. After 2FA completion, XMTP returns the credentials, enabling the transaction to be sent. However, due to time constraints, a mobile app supporting this flow couldn't be developed.

FUTURE OPPORTUNITIES: TxAuthenticator has promising future applications as well.

• Mobile App Integration: Allowing for secure transactions from anywhere as long as the user has an NFC enabled Yubikey.
• NFT Security: The concept of a "vault" secured by a YubiKey could be extended to high-value assets like Non-Fungible Tokens (NFTs), making it a valuable tool for safeguarding valuable digital art and other unique assets on the Ethereum blockchain.
• Multichain Support: Expand access to multiple blockchains.
• API Development: To reach more users, developing an API for TxAuthenticator could be a potential milestone. This would allow wallet providers to integrate this security solution directly.

The project is made of multiple parts:

First is a smart contract that acts as a wallet that allows the user to only spend up to a certain amount per day, and if over it would need to be authenticated with a hardware key. Hardware keys are using the secp256r1 curve (and not the secp256k1) so a lot of heavy lifting needs to be done for it to work (thanks to Alembic for creating a great library).

Second we have a backend (the backend is not necessary but was a huge timesaver to deploy the contracts). The connection between the frontend and backend is bidirectionnally done using XMTP.

Lastly we have the frontend, which makes it easy for a user to deploy their contract, register their hardware key and manage their vault. The ideal flow that we wanted to get to was to initiate a transaction that needed to be verified from a laptop, XMTP would then notify a mobile app that we need to authenticate the transaction with a hardware key, the user would use NFC (or the hardware security module) from their phone to validate the transaction, XMTP would send back that data to the frontend and it would post the transaction, allowing the user to spend more thant their allowance securely. The mobile app was not added due to time constraints

Users can connect their wallet using WalletConnect or the Metamask SDK, and control their vault with both wallet technologies.