True facts about StellarX security:
- We don’t hold your assets. They live on-chain on the Stellar network, and you can access them at any time and through any Stellar client using your secret key.
- We don’t have access to your secret key. It’s encrypted on our server, and is decrypted as needed using your password and authenticated user session.
- We use tweetnacl.secretbox for authenticated encryption to prevent timing-channel attacks and ensure that if your key decrypts, the key has not been tampered with.
- We use scrypt to derive a key from your password before using it, and use a unique salt for each user when scrypting. This makes password cracking in the case of a breach impractical for reasonably secure password choices.
- We never put your secret key in local storage, in a cookie, or on disk unencrypted.
- We notify you whenever your account is accessed from a new IP.
- We provide you with a recovery code so that if you lose your primary authentication mechanism, you don’t permanently lose access to your Stellar wallet.
- We support MFA, and require you to use an authentication app rather than a phone number or email address as your second factor.
The default security setting is “Cache,” which means your Stellar secret key is cached encrypted in your browser with a per-session key stored on our server. When you need to sign a transaction, your authenticated session is used to fetch the decryption key from the server, your Stellar secret key is decrypted in your browser, used to sign the transaction, and the decryption key + unencrypted Stellar secret key are discarded. The cached encrypted Stellar secret key is never transmitted to our server, preventing us from accessing it.
You can change your security settings by navigating to “Security” under “Account Settings.”
If you change your settings to “Prompt:”
- Your Stellar secret key (encrypted with your password) will still be stored on our server, but never in your browser.
- The decryption key based on your password will never be transmitted to our servers.
- You’ll need to enter your password each time you send a payment or make a trade.
Soon, you will also be able to change your settings to “Ledger,” which will require you to use your hardware wallet to authorize transactions. We don’t yet support that option, but we’re working on it. For a list of other features we’re working on, check here.