Questions from the community and security of HashPack - Hedera Ecosystem hosted by HBAR Foundation

In this snippet of a Twitter Spaces hosted by the HBAR Foundation, our CEO May Chan answers some of the questions from the community regarding how to keep your wallet secured and what steps we take at HashPack to make sure everything is secure.

Transcription

hbarRo – Community Member (hbarRo7)
‍I'm wondering if any of the wallets have any plans to incorporate 2 factor authentication?

HashPack – May Chan – Co-founder & CEO
‍We get asked quite a bit and there's actually a very good article by Metamask on this. Basically, the idea of two factor authentication doesn't quite apply to crypto wallets the way that they are implemented typically in the space. That includes the wallets that we use here in Hedera as well as like Phantom wallet and Metamask, all those ones, where your private key exists on your device. The way that two factor authentication works, is that if you're logging into Google for example, or Facebook, or other platforms online there's a database in those platforms that holds your password, and the password is encrypted, and you can only access your account if you give your password to them. But then, they check on that. So the idea is that when you give your password over maybe someone stole your password, so they have to authenticate you in a second way such as using the authentication app on your device or with your SMS message or something like that so there's a second layer security. But when you use a wallet in crypto, you're not providing a password to a third party across the Internet, your password is actually on your device, and never leaves the device so anything that you do on your wallet is secured specifically by the hardware, and there's nothing that a third party can do to sort of provide that two factor authentication that protects your keys in a more secure way because if your device is compromised where the product key is somehow released two factor authentication isn't going to save that. That's a very good question and there is definitely a Metamask article on that you can look up if you want to read more.

Hfdkr2000 – Community Member
‍Hello and thank you for letting me speak Brandon. This a question to HashPack. I recently got into HashPack I had all of my HBAR in an exchange, it was a large amount, and I put it all into HashPack. I took my 24 word phrase I put it in a safety deposit box. Is there any way of someone having access to my HBAR? Is there anyway a hack could happen or anything like that?

HashPack – May Chan – Co-founder & CEO
‍This is a very good question for people who are coming into the space who are trying to secure their keys, and what is their risks around it. I also keep my seed phrase in my deposit box at the bank and also at home in a box nobody heard that. The question is HashPack still on your computer or on your device?

Hfdkr2000 – Community Member
‍It's on my computer so my Macbook.

‍HashPack – May Chan – Co-founder & CEO
‍If you were to delete HashPack off of your MacBook, then all of the data would be gone from your device, and the only way that someone could access your account would be from getting that seed phrase from your security box. There is a copy encrypted inside of your MacBook which allows you to sign for things, and use your wallet. So basically the seed phrase, the private key is stored in an encrypted way inside of your MacBook, and that is the way that it could potentially be exploited if someone steals your MacBook and then try to grab the security data from it and then brute force your password on it. Then therefore recover your key so because it exists on your device, then I would say that there is a risk but we have done everything we can to make that small. For example it's on your MacBook, which I'm not sure if it does the secure enclave, but on iPhones, and on Androids, we use the secure enclave or the hardware back keystore on those devices, which biometrically secures your seed phrases on the devices, and there's no way to actually steal them without compromising the security of your phone. So that is something that we do.

HashPack – May Chan – Co-founder & CEO #Security inside of HashPack
‍I would also love to tell you a little bit about the security measure we use at HashPack to secure out wallet. On our team of five, one of our Co-founders whose name is Nick is a Senior Application Security Engineer, and he holds OSCP certification, which is a penetration testing certificate. His day job is basically doing code audits for enterprises and advising on software infrastructure risks. We use a lot of different tools like SonarCloud for Static Analysis and Dependabot for third-party library analysis.  We also use dynamic analysis tools such as ZAP and Burp Suite for automated and manual testing. These are all things that are very standard in the industry, and we use that to secure our app. Nick also internally audits every code change in the app so basically, we have a security professional checking the security of HashPack on a daily basis. We don't have external audit yet, but we're planning to do one Q1 2023. We wanted to make sure that both the iOS and Android apps were included on it and we also have a few other things are coming up that will also be included on that audit so that is why we've been taking our time, but that will come as well. Hopefully that information gives you a little bit of peace of mind around the security of our wallet, and how we protect your keys.