Two Factor Authentication
It is highly recommended you enable two factor authentication on your My wallet account. Your wallet data is still only encrypted with your password however a second authentication step will need to be passed before your encrypted wallet data is output. Currently we support Yubikey and email two-factor authentication.
Failed Login Attempts
If you have two factor authentication enabled on your account after 4 failed login attempts your account will be locked for 2 hours at which point no more login attempts can be made. You will be sent an email if your account is locked giving you time to take precautions if necessary.
A secret phrase can be set in your "Account Details" panel after login. In the case of lost wallet identifiers, yubikeys or lost email access the secret phrase can be given to us to help verify account ownership. This is reviewed manually on a case by case basis.
Sessions & cookies
For your convenience once two factor authentication is verified this will be remembered for a short time. Yubikey sessions expire in 4 hours, Email Codes expire in 24 hours.
No sensitive data is stored in your browser's local storage. If available the site will cache your wallet identifier, address balances and transactions, in the event of login with a different identifier this data is cleared.
Your password is never transmitted over the internet, sent to our servers, stored in cookies or in your browser's local storage in any form for this reason we are unable to help recover lost passwords.
Access to personal data
Your personal data such as email address is only made available to a client with the associated shared key, this is encrypted inside your wallet which requires your password to reveal.
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
As a password is required for every login and no cookies are used the site is not vulnerable to CSRF exploits.
Our database and website run on privately owned dedicated hardware which is located in a secure data center with a 24 hour security guard. Only the site administrator has access to the servers.
All data is synchronously committed to at least two different servers and backed up to an offsite location every 24 hours.