Blockchain Wallet FAQ - blockchain.info

Blockchain account

Blockchain Algorithm / March 21, 2018

Secure bitcoin wallet

Two Factor Authentication

It is highly recommended you enable two factor authentication on your My wallet account. Your wallet data is still only encrypted with your password however a second authentication step will need to be passed before your encrypted wallet data is output. Currently we support Yubikey and email two-factor authentication.

Failed Login Attempts

If you have two factor authentication enabled on your account after 4 failed login attempts your account will be locked for 2 hours at which point no more login attempts can be made. You will be sent an email if your account is locked giving you time to take precautions if necessary.

Secret Phrase

A secret phrase can be set in your "Account Details" panel after login. In the case of lost wallet identifiers, yubikeys or lost email access the secret phrase can be given to us to help verify account ownership. This is reviewed manually on a case by case basis.

Sessions & cookies

For your convenience once two factor authentication is verified this will be remembered for a short time. Yubikey sessions expire in 4 hours, Email Codes expire in 24 hours.

Local storage

No sensitive data is stored in your browser's local storage. If available the site will cache your wallet identifier, address balances and transactions, in the event of login with a different identifier this data is cleared.

Password Policy

Your password is never transmitted over the internet, sent to our servers, stored in cookies or in your browser's local storage in any form for this reason we are unable to help recover lost passwords.

Access to personal data

Your personal data such as email address is only made available to a client with the associated shared key, this is encrypted inside your wallet which requires your password to reveal.

Cross-site scripting (XSS)

All user data is stripped of any html or javascript code before being output. You are encouraged to review our code for possible XSS vulnerabilities.

Cross-site request forgery (CSRF)

As a password is required for every login and no cookies are used the site is not vulnerable to CSRF exploits.

Server Access

Our database and website run on privately owned dedicated hardware which is located in a secure data center with a 24 hour security guard. Only the site administrator has access to the servers.

Backup Policy

All data is synchronously committed to at least two different servers and backed up to an offsite location every 24 hours.

Source: blockchain.info