Increasing security of "multifactor" (MFA) Safe approval accounts 🔑

What type of Safe approval account is exposed to more risk in a “multifactor approval account” perspective, the account that creates a Safe transaction or the account that signs the final onchain confirmation?

Projects like nestwallet.xyz have promoted secure and convenient use of Safe accounts using multi-factor authentication/two-factor authentication approaches with multiple approval accounts. For example, is there an advantage to having more secure hardware accounts, e.g. Ledger and Trezor, sign either the transaction creation or the final onchain confirmation transaction? This is compared to potentially less secure software approval accounts, e.g. MetaMask and Rainbow.

  • The account that creates the Safe transaction seems that it is higher risk since it defines the values around an action.
    • The first account to create a transaction could have increased risk if it is compromised and creates a transaction that is different from what is shown in the UX.
  • Whereas with the account that signs the final onchain confirmation, in a worst case scenario where the account is compromised, the account can only create a new transaction.
    • It can not alter the existing Safe transaction (Assuming the existing transaction was created legitimately).

Much appreciated!

Feedback on the above from a CTO of an app powered by Safe:

Aside from key compromise - If it is the same machine used throughout then the UX could be altered for all signing actions and the user would sign regardless of which wallet type. However, some wallets are better at displaying a human-readable decoded Safe tx.

So the best practice would be to use different machines for each action, and use the wallet that best decodes the transaction for every signing action, then whether the first|second|both keys being on hw is arbitrary.

Fleshing out a key compromise scenario based around the MFA use case you described where P1 account is regularly proposing transactions and P2 is regularly approving/executing transactions. Both P1 & P2 keys are controlled by the same individual. The individual’s computer has been compromised by malware or rouge browser extension.

The private key of P1 is known to the attacker; the attacker doesn’t want to cause alarm by prematurely triggering a transaction; when P1 goes to make a spend transaction the attacker employs a MITM on the Safe API; the attacker has the intended tx payload and can discard the signature of P1; the attacker crafts a similar spend transaction and signs it with the compromised P1 key; because the individual just signed the proposed transaction they are less cautious in approving/executing with P2.

This doesn’t require a malicious UX to succeed. A human readable decoded Safe tx may help alert the individual when signing with P2 but this isn’t foolproof. In this scenario you could consider that a hw wallet could be preferable first for P1, or both P1 & P2.

A takeaway from discussing Safe multi-factor authentication (MFA) is to use ≥ 2 devices to view and confirm Safe UX for approvals, e.g. Safe web app + Safe mobile app. :computer::iphone::beginner:

(This is in addition to using multiple types of approval accounts of course, e.g. Trezor, MetaMask, etc.)

A big opportunity to improve MFA with Safe is to “Connect external signer key” on Safe Android using software accounts like MetaMask.

Are there plans to expand this for Android (Currently iOS beta only)?

If not, this is a great feature for other Safe apps to improve MFA by connecting to software approval accounts, e.g. Approve on web with hardware account (Trezor) and on mobile with software account (MetaMask).

Currently, with the Safe Android app it is only possible to approve on mobile with a hardware account (Ledger or Keystore), without importing the private keys.

Why connecting an account improves security compared to “Importing existing owner key”

  • Separates concerns between the Safe UX on web + mobile and the approval account private key
  • Reduces exposure of approval account, e.g. MetaMask private key being shared across multiple apps

Is it technically possible to approve (“execute”) fully confirmed actions on Safe’s mobile app?

This is another opportunity to improve multi-factor authentication (MFA) security by enabling the full transaction confirmation process to occur on multiple device types.

I estimate because it is possible to confirm actions on Safe mobile it is also technically possible to implement the approve (“execute”) feature.

Also, the “Import owner key” support view needs to be updated for “iOS only availability”

The support view Import owner key > Connect key using WalletConnect, section shows the ability to connect the Safe mobile app to any account using WalletConnect. However, this is not available in the Android app v3.90. The Safe support team has confirmed through chat on help.safe.global that is support view should be updated to communicate this is an iOS only feature.

Much appreciated!

1 Like

I’m happy to learn that nestwallet.xyz, a part of the Safe grants program (SGP) wave 1, is building multi-factor authentication (MFA) for Safe accounts across web and mobile!

:mag: This means that you can view and verify your transaction details on a mobile device
:writing_hand:t2: Approve and make final confirmation of actions on mobile
:beginner: These are important upgrades because mobile adds another layer of protection by having multiple devices to fully interact with Safe, rather than relying on 1 source of truth from the web.

1 Like