Securing your Stellar Lumens with Multisig and StellarGuard
Imagine this: you’ve bought some Stellar Lumens (XLM) and decide to send some of it to your friend. You pull out your secret key that you printed on paper and enter it into your favorite wallet software to make a transaction. You enter your friend’s public key as the destination and hit send.
> Error! You don’t have enough XLM to complete this transaction.
A sense of dread washes over you as the screen updates with an outgoing transaction to an account you’ve never seen before, draining all of the XLM that you just purchased. Your computer had a key-logging virus and a hacker has stolen everything.
This is the exact scenario that faced users of a popular Stellar wallet named Blackwallet earlier this year. Other users have lost their XLM by storing their secret keys in an online drive. Even users who use mobile wallets are not entirely safe — a malicious update or a hack of the wallet developer’s account could leave you broke. One thing is certain: if someone gets your secret key, they will take all of your XLM.
So how do you stay safe, even if your private key is stolen? The Stellar protocol has a solution to this problem built right into it: multisignature accounts.
You may have heard the term multisignature or “multisig” before, but what does it actually mean? Stellar accounts have a concept known as “signers”; a transaction is not valid and cannot be submitted unless it is signed with the account signers’ private keys. An account that uses multisig is set up so that it requires multiple signers from different accounts in order for its transactions to be valid.
Let’s use a real-world metaphor to break down the concept of signers, secret keys, and multisig: banks. You open a checking account at a bank and are given a stack of checks. You write a check for $100 to your friend, and you sign your name at the bottom. When your friend cashes it, the bank is supposed to verify that your signed name at the bottom matches what they have on file for you, otherwise they should flag it as fraudulent and reject it. Since you were the one to write and sign the check, everything is fine and your $100 goes to your friend as expected.
One day you accidentally leave your checkbook on the bus, as well as a few other papers that have your signature on it. A nefarious character named Don finds your checks and writes a check to himself for $1000 and traces your exact signature he found in those papers onto that check. He goes and cashes the check and because the signature looks right, the bank accepts it. Yikes, you’re out $1000! This is like if a hacker stole your Stellar secret key.
The next day you get an idea: you walk to the bank with your trusty friend Bob and tell the bank that you want to make a change to your account: from now on the bank should only accept checks that have both yours and Bob’s signatures. So you write a check for $10 to Bob, thanking him for agreeing to do this for you. You sign your name at the bottom and hand him the check, and he signs his name at the bottom too. Great! The check gets cashed as expected. That’s multisig.
Later, you lose your checkbook and Don finds it and writes himself another $1000 check with your forged signature. He goes to cash it, but the bank sees that Bob’s signature is not on it, so they give you a call and you tell them to throw Don in jail for theft. This is like if a hacker stole your Stellar secret key, but your account had multisig on it.
Not all of us have a friend like Bob that you can trust to be available to be at all hours of the night to sign transactions for you. But there’s good news: meet your new friend StellarGuard.me.
StellarGuard.me is a web application designed to keep your Stellar account safe and secure by adding multisig to your account and protecting transactions with two-factor authentication.
StellarGuard was built with 3 main goals:
- Your XLM should be safe even if your computer is hacked and your secret key is stolen.
- Your XLM should be safe even if StellarGuard is hacked and its secret keys are stolen.
- You should never enter your own secret key into StellarGuard. Instead you will build transactions with your normal wallet and submit them to StellarGuard for final authorization.
So how does it achieve these goals and how does it work?
When you sign up for a StellarGuard account, it creates a random, unique public/secret key pair. It then guides you through the process of adding multisignature to your account with your StellarGuard public key as a signer. Once this is complete, you press a button to link your Stellar account public key to StellarGuard. That’s it, now you’re protected!
When it comes time to actually make a payment, instead of submitting your transaction to the Stellar network you or your wallet submits the half-signed transaction to StellarGuard. StellarGuard sees that it only has half the signature, and sends an authorization email to the email address that you registered with. Once you click on the link in your email you’ll be prompted to enter a code to authorize the transaction: either a special code that is found in the email that was sent to you, or a rotating 6-digit passcode that is generated by an authenticator app on your mobile phone for two-factor authentication.
Once you log in and enter the correct transaction verification code, StellarGuard will add the second signature (only known to StellarGuard) to the transaction and submit the now-valid transaction to the Stellar network.
If StellarGuard had been around during the Blackwallet hack and enabled on those accounts, that hacker would have walked away empty-handed.
Some of you who use mobile app wallets with enhanced security features such as encrypted secrets, passphrases, and BIP-32 mnemonic codes may wonder why they would need StellarGuard. There are two reasons:
- At some point or another, even with all of the protections added to a mobile wallet, your secret key is still “taken out” and used to sign transactions. At that point it is at its most vulnerable: if there is a virus, a bug in the code, or even a malicious developer update, you’ll still lose your lumens.
- Security works best when it is layered. If your wallet has a 99% chance of protecting you and StellarGuard has a 99% chance of protecting you, using both gives you a 99.99% chance of being protected.
But what about a hardware wallet? Isn’t that the best choice? Sure, if you want to spend $60 — $100 on a hardware wallet that you always have to keep with you in case you want to make a payment, then that will probably work out just fine for you (or will it??). Or you could sign up for StellarGuard and use a protection mechanism that is built right into the Stellar protocol.
Wallet Developers: want to integrate StellarGuard into your wallet so that users protected by StellarGuard can submit transactions without leaving your wallet? Check out the Wallet Developer FAQ or email email@example.com with questions.
This article focuses on just the small portion of Stellar multisig that is used for account security. For a more in-depth look at the possibilities of using multisig with Stellar, check out this Stellar.org page.