2FA feature is needed, ASAP, for all transactions and account recovery

I might need an assist to walk through what you’ve set up. If I must, I would use a hardware wallet, but I still don’t understand how if you lose the HW wallet, but still have your passphrase, that you could access your funds - doesn’t that make it just as vulnerable as a SW wallet? If not, then the HW wallet is only providing a “signing” function for the transactions, correct? If so, then that should be something that can also be implemented in software - right? I obviously don’t know enough of the technical details to provide enough helpful input.

No, it doesn’t. E.g. the firm Ledger EXPLICITLY tells you to write down the 24 words randomly generated during setup. Your write it up on a piece of paper, and lock up the paper in a safe. The passphrase never again is shown, and never again leaves the device. It is used only to derive your other private keys. So, noone on the Internet will ever know it.

It the device gets lost or stolen, there is a PIN to protect it. It the thief enters the PIN 3 times wrong, the 24 words are cleared from the cryptographically secure element. So, if you choose a 8 digit PIN, the thief would have the same chance to open the device as to win the Eurojackpot.

If the device gets lost or stolen, you can reprogram another one with the 24 words, written down previously, and can access your funds. Of course, if you are bothered by the fact that the thief may get your funds, you have to transfer your funds to a new address, or in the case of Algorand rekey your accounts. It is a pain in the neck.

But otherwise HW wallets are great. I recommend the Ledger Nano family to you.

P.S. Another variation on this theme is not to write down anything, but to have a 1 out of 2 multisig account, and 2 HW wallets with 2 random passphrases. One is locked up in a safe, the other is for everyday use. If one of the devices is lost/stolen/goes wrong, the other can be used to move your funds, or rekey your account. (It is not recommended, but in theory it works.)

1 Like

You do not seem to be authenticated because top menu shows that your authentication is outdated or you just typed in the address… you must create wallet in order to store there account

Also make sure that in your settings you have selected mainnet network

Check out the multisig video how to use it… Algorand multisig feature - YouTube

What we are talking now about is that we add there 2FA Account which will consist of multisig of 3 accounts… 2 your accounts… for example one ledger device (cold storage), one hot storage, and one account from this service… So you can sign the tx with your hot account with the service account, and the tx will go on. If the service will stop working, you will just sign tx with your ledger and your hot account and rekey to other account.

1 Like

I have just created the test account from the passphrase. I am on mainnet. The error is CORS.
If I go to testnet, I get the SigTx

SigTx gqNzaWfEQNW61cWm9d+aXkgMI19tvE+0Q6NWsKonVvjO4l+Ot2I/w5hmTWPyaFf/AjOieX5u5CpseTUWJ1EIuHbQbgnnEQ+jdHhuiaNmZWXNA+iiZnbOAbAHDaNnZW6sdGVzdG5ldC12MS4womdoxCBIY7UYpLPITsgQ8i1PEIHLD3HwWaesIN7GL39w5Qk6IqJsds4BsAr1pG5vdGXECTJGQSNBUkMxNKNyY3bEIIcXrTwIwnhP+UY5n15GwRPerCPLrW3CSK2oej41QWiDo3NuZMQghxetPAjCeE/5RjmfXkbBE96sI8utbcJIrah6PjVBaIOkdHlwZaNwYXk=

I have noticed that the default nodes were not selected properly on first load, and fixed it…

Are you saying you lost funds from a Pera wallet , not from MyAlgo? You seem to be saying you were encouraged to share your secret key.

@scholtz I have tried out Google Auth. Congrat, it works. Code gives back true even if it is outside the timing window.

gave back error


curl -X 'POST' \
  'https://2famsig.k8s.aramid.finance/v1/Multisig/SignValidateTwoFactorPIN' \
  -H 'accept: */*' \
  -H 'Authorization: SigTx gqNzaWfEQNvWALPLZhzvAmrhLjCCIg1SlDIxolozEzmbs7xryyTtGB8MKiE04kjCrf8xBN1hj1/j9lNzBxY8U8O6R8v4jAmjdHhuiaNmZWXNA+iiZnbOAaRsxaNnZW6sbWFpbm5ldC12MS4womdoxCDAYcTY/B293tLXYEvkVo4/bQQZh6w3veS2ILWrOSSK36Jsds4BpHCtpG5vdGXECTJGQSNBUkMxNKNyY3bEIIcXrTwIwnhP+UY5n15GwRPerCPLrW3CSK2oej41QWiDo3NuZMQghxetPAjCeE/5RjmfXkbBE96sI8utbcJIrah6PjVBaIOkdHlwZaNwYXk=' \
  -H 'Content-Type: multipart/form-data' \
  -F 'Tx.PoolError=' \
  -F 'MSig={}' \
  -F 'Tx.SenderRewards=' \
  -F 'LSig.Address.Bytes=' \
  -F 'Tx.GenesisHash.Bytes=' \
  -F 'Threshold=2' \
  -F 'Tx.ReceiverRewards=' \
  -F 'Sig.Bytes=' \
  -F 'Tx.Lease=' \
  -F 'Tx.Committed=' \
  -F 'Tx.Group.Bytes=' \
  -F 'Tx.FirstValid=0' \
  -F 'Tx.CloseRewards=' \
  -F 'AuthAddr.Bytes=' \
  -F 'Version=1' \
  -F 'Tx.GenesisID=' \
  -F 'Tx.ConfirmedRound=' \
  -F 'Tx.RekeyTo.Bytes=' \
  -F 'Tx.LastValid=0' \
  -F 'Tx.Fee=0' \
  -F 'Tx.Note=' \
  -F 'Tx.Sender.Bytes=' \
  -F 'txtCode=595762'

Request URL
Response body

  "status": 400,
  "detail": "Object reference not set to an instance of an object."

Response headers:
content-type: application/problem+json; charset=utf-8 date: Fri,10 Mar 2023 22:33:53 GMT strict-transport-security: max-age=15724800; includeSubDomains x-firefox-spdy: h2

Yes, we need to make this compatible with other SDKs… Thats why i have asked frank for help… He is main developer of C# AlgoSDK.

What we need is to allow multisig in format which other sdks produce it … for example


If we dont get the support from Frank, i will do it, but i would prefer if it was the AlgoSDK feature…

This is also untrue.

MultisigSupport remains in the SDK and people are using multisigs.

For example

            Address addr1 = new(address1);
            Address addr2 = new(address2);
            List<byte[]> addrs = new() { addr1.Bytes, addr2.Bytes };
            return new MultisigAddress(1, 1, addrs);

If you do want features in the SDK, the correct channel is the github issue tracker for the repo. I notice that yesterday you created a new issue asking not for multisig support but for advice on how to use multisig support via demos.

A new version of the SDK will be being release in the next week or so with completely updated web documentation, a reworked version of KMD, and other updates. In the meantime you can ask for advice on the NET SDK channel on the developer discord. I don’t appreciate b/s comments like “frank removed the functionality,” not because of the bizarre ad hominem but because it’s confusing to others. Update your comments or delete them.

Sorry, there was some functionality in old library that dissapeared in your fork. I understand the refactoring needs, and that the library from you is in much better state as it was before. I used old library and i am using your library now. .NET is my prefered language of choice for backend development.

Can you give me example how to append signature to the multisig?

Yes, it was a Pera wallet. It happened to be a shared wallet between me and someone else, so there is a chance it may have been connected to MyAlgo at some point to view the balance, but if that did happen, it was quite a long time ago, and has not been reconnected to MyAlgo since then, as far as I know. I’m guessing we both did have the Metamask extension for Chrome, not sure if that’s part of the suspected vector here. I’ve removed it an have everything stored in an encrypted vault now.

Hmm. By “connected to” I presume you mean that you imported the wallet by adding the secret key to MyAlgo?

It would be useful to know when in fact that event happened, if indeed that was what happened.

If it did not then the likely scenario is that the “someone else” moved the funds, or in some other way the account was compromised unrelated to MyAlgo.

I am curious about this situation…2FA doesn’t sound like the answer to this problem. Multifactor authentication is probably the responsibility of the wallet app itself, and regardless, it doesn’t help if you share the wallet/secret key around.

What might help is if the wallet app constantly rekeys your account and then asks you to safely record the key. This would be an annoyance though.

That is a very good question. I can’t say what happened exactly, because it was a very long time ago that the wallet may have been connected to MyAlgo. I distinctly remember being prompted to add my recovery passphrase for one of my wallets, and thinking - there is no way in hell I’m doing that. So, I thought that I had just somehow connected to MyAlgo just for grins to watch the balance in the couple of wallets - one private (only I have the passphrase), and one shared with one other person. Interestingly, the private/personal account - which I also somehow had “watched” in MyAlgo at some point, but I’m certain I had never shared the passphrase because I think that’s a crazy and stupid thing to do, did NOT get hacked, while the shared one DID. So, neither of us really ever recalls connecting to MyAlgo, and if we did, it was quite long time ago. I don’t think I’ve logged in to MyAlgo in months, possibly 9 months or a year? No idea. That’s why I was so surprised when I saw the transaction on Tuesday, because we keep the passphrase under lock and key at all times.

Edit: so I just logged in to MyAlgo, and yes, the account that got hacked is there, as a “Watch” account only though.

I have added there the tests… I think the coverage is quite high… Can you try again pls?

@tom.gnade @fabrice @Maugli

the preview is here: https://awallet-git-feature-twofactor-scholtz.vercel.app/

Can I get your feedback please?

1 Like

Hi, Ludo @scholtz ,
I have made some test on Algorand Testnet for your AWallet 2FA preview app,
by reproducing the steps in your AWallet 2factor tutorial video.

Used an Android Google Authenticator for the test.
The account name became: “Testnet Two Factor: AWallet-XXXX-YYYY”, where XXXX-YYYY is an identifier for the 2FA multisig account. It can be edited later to the Mulisig Account address (earlier version used Multisig Account Address here).

Everything went fine!


Full video on how to use 2FA account Wallet connect usage in AWallet - YouTube