Author Topic: [Ann] Peermit.com - 2FA for BitShares (early beta for advanced users)  (Read 11822 times)

0 Members and 1 Guest are viewing this topic.

Offline Riverhead




I played with this today and it works well. Certainly opens the door for other ideas/uses. Graphene is the best kept secret in crypto.

Offline abit

  • Committee member
  • Hero Member
  • *
  • Posts: 4664
    • View Profile
    • Abit's Hive Blog
  • BitShares: abit
  • GitHub: abitmore
BitShares committee member: abit
BitShares witness: in.abit

Offline pc

  • Hero Member
  • *****
  • Posts: 1530
    • View Profile
    • Bitcoin - Perspektive oder Risiko?
  • BitShares: cyrano
Bitcoin - Perspektive oder Risiko? ISBN 978-3-8442-6568-2 http://bitcoin.quisquis.de

Offline merivercap

  • Hero Member
  • *****
  • Posts: 661
    • View Profile
    • BitCash
Fantastic news @xeroc and what a way to celebrate your 10,000th post!

This will be extremely useful for us at Bitcash so really glad you are doing this!

BitCash - http://www.bitcash.org 
Beta: bitCash Wallet / p2p Gateway: (https://m.bitcash.org)
Beta: bitCash Trade (https://trade.bitcash.org)

Offline Shentist

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 1601
    • View Profile
    • metaexchange
  • BitShares: shentist
Wow.  Nice Xeroc.  So how have you figured out the exact amount that will be charged?
The reigstration fee of 200 BTS is just a little to pay for the account registration fee (50 BTS) and have some funds available initially to approve proposals.
The 0.4% fee is just an idea and not fixed yet .. However, I wanted to show people the progress I am making and let them play around it ..

Not sure how to deal with the business/profit related issues yet .. that's why I started with a bold 0.4% flat ...

Any suggestions on how to please the customers and still have the service be profitable?

nice approach!

i think 0.4% will be really expensive, considering this is just a kind of "insurance"

i would say you should try to calculate how many accounts you can handle automated with your computer etc. and make a yearly or monthly fee.

say, you will charge 15 bitUSD for 1 year. with this pricing you will make more with small accounts, but less with higher accounts. But i assume in the long run,
you would have much to do with not so used accounts and from my expierence theses accounts will cost you much more time then the big accounts, because they need more
attention.

maybe, you can think also about future  services you can charge extra fees etc.

could you give me a hint how i can start the client wallet on windows? i am trying for a couple of days, but my tech is to low to understand it. i think the node is running, but i can't do anything with the client wallet.

Offline puppies

  • Hero Member
  • *****
  • Posts: 1659
    • View Profile
  • BitShares: puppies
I would suggest a flat rate, or a series of flat rates based upon service level.  Maybe have a free option that only works with an account registered by you so you get the referral income, and there is a 30 minute delay in transaction processing.  Then have a rate of let's say 800 bts a month (set as a recurring transaction) for an unlimited account that you registered.  Then maybe 1000bts a month to integrate an existing account.  Provide alternate means of verification.  Email, text, other online messaging, Google. 

Perhaps the differentiator for free vs paid accounts could simply be the ability to modify parameters.  Or rate limiting.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline roadscape

Nice!! This is a valuable service and excellent hint of graphene's possibilities. This is the tip of the iceberg.

Your beta strategy is great and I'm glad you moved forward without waiting for others.. very inspiring!
http://cryptofresh.com  |  witness: roadscape

Offline fav

  • Hero Member
  • *****
  • Posts: 4278
  • No Pain, No Gain
    • View Profile
    • Follow Me!
  • BitShares: fav
 +5% +5% +5%

I'll test in once it's available in the gui

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
Wow.  Nice Xeroc.  So how have you figured out the exact amount that will be charged?
The reigstration fee of 200 BTS is just a little to pay for the account registration fee (50 BTS) and have some funds available initially to approve proposals.
The 0.4% fee is just an idea and not fixed yet .. However, I wanted to show people the progress I am making and let them play around it ..

Not sure how to deal with the business/profit related issues yet .. that's why I started with a bold 0.4% flat ...

Any suggestions on how to please the customers and still have the service be profitable?

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
Interesting thought puppies. If so it's similar to the move the multibit wallet
did in their Multibit HD version, where they take a small fee in addition to the
bitcoin transaction fee on every transaction performed from that wallet. The
problem is, you can't opt-out, it's not a donation it is a mandatory fee. It's
worse than a license fee, it's more like an income tax!
To make it clear again. In this scheme you can OPT-OUT at any time.
I want to have it that way to not end up with a service that needs to be run
indefinitely. Every user can simply opt out by importing the owner key of the
original account. That of course also opens up an attack vector: If the original
account's owner key is compromised, so will the secured account!!!

Quote
@xeroc, if you plan on taking a cut of transfers, no matter
how small, consider making it an optional donation. Even if the default is ON,
allowing it to be turned off and fully disclosing that this is any part of your
funding model is the ethical thing to do. I see reviews and info about Multibit
that fail to disclose the mandatory fee they take to fund development (i.e. like
on cryptocompare.com) which I think is manipulative.
Good point. I could have a "free" plan with some restrictions and ask customers
to upgrade at a fee to gain access to "more features" or faster approvals or
somthing similar. Good idea. I will keep it in mind!

Offline fuzzy

Wow.  Nice Xeroc.  So how have you figured out the exact amount that will be charged?
WhaleShares==DKP; BitShares is our Community! 
ShareBits and WhaleShares = Love :D

Offline Thom

Very very nice.  If someone wanted to add your account active key to their existing account in a 2 of 2 scheme would you support that? 

How are you planning on taking your fee?  You can't stop someone from sending to this account, and if they want they can use their owner key to withdraw without 2fa.  Are you planning on charging a portion for each spend from this account that uses the 2fa system?

Interesting thought puppies. If so it's similar to the move the multibit wallet did in their Multibit HD version, where they take a small fee in addition to the bitcoin transaction fee on every transaction performed from that wallet. The problem is, you can't opt-out, it's not a donation it is a mandatory fee. It's worse than a license fee, it's more like an income tax!

@xeroc, if you plan on taking a cut of transfers, no matter how small, consider making it an optional donation. Even if the default is ON, allowing it to be turned off and fully disclosing that this is any part of your funding model is the ethical thing to do. I see reviews and info about Multibit that fail to disclose the mandatory fee they take to fund development (i.e. like on cryptocompare.com) which I think is manipulative.
Injustice anywhere is a threat to justice everywhere - MLK |  Verbaltech2 Witness Reports: https://bitsharestalk.org/index.php/topic,23902.0.html

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
Very very nice.  If someone wanted to add your account active key to their existing account in a 2 of 2 scheme would you support that? 
We can support that aswell .. actually it was my first idea to do it that way
and have the corresponding routines implemented already. However, it is way
easier for most users to get a new account registered with the correct
authorities already .. plus, peermit.com sees referral income.
In theory we can even arrange a different scheme for every user.
For instance, we could have premium member ships that are cheaper.
Or we could use instancly approve any trading activities but require 2FA for
transfers of USD and BTS, but not BTC :)

Possibilities are endless :)

Quote
How are you planning on taking your fee?  You can't stop someone from sending to
this account, and if they want they can use their owner key to withdraw without
2fa.  Are you planning on charging a portion for each spend from this account
that uses the 2fa system?
We have two options:
Either we only approve transactions that have a second transfer in them that pay
the service fee to our account,
or we demand withdrawal_permissions from an account and withdraw the service fee
monthly, weekly ...
Alternatively, we could even use a prepayed scheme and have people preload an
account at peermit.com .. though that would not be my preferred choice

What would you prefer?

Offline puppies

  • Hero Member
  • *****
  • Posts: 1659
    • View Profile
  • BitShares: puppies
Very very nice.  If someone wanted to add your account active key to their existing account in a 2 of 2 scheme would you support that? 

How are you planning on taking your fee?  You can't stop someone from sending to this account, and if they want they can use their owner key to withdraw without 2fa.  Are you planning on charging a portion for each spend from this account that uses the 2fa system?
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
Glad to see a 2FA scheme not based on cell phones, which a very porous and
insecure b/c of the openness at some levels of the comm. stack required for
multi-carrier interoperability. That risk may be low, but it is difficult to
evaluate. I am very paranoid and would never rely on the security of any 2FA
based on cell phones UNLESS I rooted the phone and was very confident of the ROM
and other tools to protect the device's security. Even with that, I still have
reservations about security compromise at the hardware level.
I hear you .. and I have my phone rooted as well (in fact I have another ROM
installed)

Quote
I presume that the memo field used to communicate the email account is not visible without the transaction private key to unlock?
Correct. Actually, the key required (by default) to decode the memo is a shared
secret of your pub key and other parties priv key .. or vice versa.

Quote
The use of VPN is great, consider chaining more than one together from 2 or more
vendors for added protection.
Indeed .. Once we made some profit to pay for even more security, this will
happen. I have also started to write transaction signing process in python
directly .. that way we don't need to run a cli_wallet at all and can harden
the system even more.

Quote
Consider using a trusted secure email provider like startmail (or setup your own
on a VPS) if you haven't already. Only connect to that server via VPN. Email is
probably your weakest link in terms of security vulnerabilities.
Peermit.com is hosted solely on a fat machine. We have our own mail server of
course and we plan to add PGP signing for all messages eventually.
Keep in mind that the current beta is really just a MVP or proof-of-concept
(with security already in mind). Give us some more time and we will make it even
stronger :)