Don't shut me out! Why bitcoin wallets shouldn't lock you out after 3 attempts

Why do bitcoin apps have login screens?

Login screens help ensure only authorised people can access your wallet. It provides an extra level of security in addition to the devices login measures such as faceid, passcodes, passwords, etc.

Are login screens necessary?

Only when the user asks for it! Desktop and mobile applications benefit from a first line of defence provided by the devices operating system - a password or similar tool needed to logon to the device. Entering a passcode to unlock your phone, and then another for your app can frustrate the user and make the app less enjoyable to use. Ultimately users should be in control of how the software works for them.

How many attempts before you lock me out?

A 4 digit passcode has 10,000 combinations. A 6 digit passcode has 1,000,000 combinations. Why would you lock a user out after just 3 incorrect attempts? How many attempts should I get before you lock me out? Should you ever lock me out?

Let's have a look at what different bitcoin apps do.

Muun

This bitcoin wallet forces you to create a pin needed to access the app. I chose a 4 digit code. The app gives you 3 attempts before locking you out, after which you have to use your recovery key to restore access to your funds.

Green

This app gives you 3 attempts to enter your 6 digit code. The app requires that you are online which suggests that your pin code is stored on Blockstream servers. If so, why can't they email me my pin when I've forgotten it? Ideally there would be an additional recovery system other than relying on people to enter their mnemonic.

Bluewallet

By default this app has no login screen which is one of the many reasons this app feels user friendly.

You can set up an encrypted password and you can make an unlimited number of attempts without it locking you out.

Coinbase Wallet

During onboarding, this crypto wallet forces you to set up a 6 digit passcode. You can change the settings to enforce a passcode check when making a transaction or when accessing the app. No recourse exists if you forget your passcode other than your mnemonic seed.

Trezor Model T

You have to set up a 4 digit passcode protecting access to the device. This code is also required when broadcasting transactions, this makes sense as the first passcode is analogous to unlocking your phone, the second is similar to accessing the app.

Electrum (version 3.3.4)

The desktop wallet Electrum allows the user to optionally encrypt a wallet file using a password of your choice. You are allowed an unlimited number of attempts, however if you forget your password there is no way to recover your funds other than by entering your mnemonic seed.

How do other financial apps compare?

For reference how do these apps compare to fintech ones such as CashApp or Revolut which both secure funds for millions of users?

Cash app

Adding a 4-digit security lock is optional. If I forget my passcode the app can email me my pin!

Revolut

The mobile banking app allows users to add an optional 4 digit passcode to prevent unwanted access to the app. It allows 4 failed attempts and adds a delay between each failed attempt to slow down a potential attacker. There is an option to recover your password by email if you forget your passcode.

Conclusion

For many, bitcoin is a large proportion of their life savings. Security has to be taken seriously when creating these apps. Pins and passwords in bitcoin apps are a second line of defence against unwanted access, the device’s passcode or password (present by default on most operating systems) is the first.

Pins and passwords on software based bitcoin wallets should be optional, on hardware wallets it should be on by default but that too should be optional.

Developers and designers should accept that there are legitimate reasons why a user may forget his pin or password. Providers should help users understand the risks involved in adding extra security measures as well as the risk of forgoing them.

It is unnecessary to completely lock users out without providing multiple methods to recover access. Using your mnemonic seed as one method is a start but we can do better.

Apps that run on computers and mobile devices can store the user's email address and (potentially after a delay) send the pin/password to the user.

Recommendations for bitcoin app makers

  1. Make passwords and pins optional
  2. Explain the rules and implications of forgetting a password or pin before setting it up
  3. Consider encouraging users to take more security measures when the value of their coins go over certain limits
  4. Provide more than one alternative method of recovery
  5. email the user (even non-custodial apps can do this)
  6. provide a password hint
  7. use mnemonic seed
  8. If you are going to lock a user out, provide at least 5 attempts. Why 5? The industry standard of 3 is ridiculously low, 4 isn't much better, 5 is approaching reasonable.
  9. If you are going to lock a user out, don't count duplicate password/passcode attempts (they probably thought they mistyped it)
  10. Lock the account in increasing time increments