Xaman Help Center
English
English
  • Welcome to the Xaman Help Center!
  • Getting started with Xaman
    • 💙Understanding the Xaman Service Fee
    • 🎉Xaman 4.0
    • How to create a RLUSD Trust Line
    • 💸What is Xaman?
      • Understanding Self custody
      • Where are your funds stored?
      • Xaman & natural disasters
      • Common misconceptions
    • Installing Xaman
    • Your first XRP Ledger account
      • How to create an XRP Ledger account
    • Activating an account (XRPL)
      • From GateHub
      • From Uphold
      • From Kraken
      • From Crypto.Com
      • From Coinbase
      • From Kucoin
      • From Binance
      • From Bitrue
      • From Bitstamp
    • Importing your account (XRPL)
      • Should I import my XRP Ledger account into Xaman?
      • ...with Secret Numbers
      • ...with a Family Seed
      • ...with a Mnemonic
      • ...a Xaman card
      • ...in Read Only mode
      • How to import an XRP Ledger account from a hardware wallet
    • Buying XRP
      • Banxa
      • BTC Direct
      • Guardarian
      • Topper
      • C14
      • Xaman On/Off Ramp
    • Sending tokens to Xaman
    • Sending XRP to Xaman
    • Sending tokens from Xaman
    • Sending XRP to Moonpay
    • How to convert a Read only account to Full Access
    • Deposit to Exchange Didn’t Arrive
    • Can Xaman reverse, freeze or undo a transaction?
    • Can I view/export my account secret?
    • I've lost my account secret!
    • Accessing your XRP Ledger account
    • General Terms and definitions
    • How to create a Trust Line
    • How to test your Account Secret
    • How to Rekey an XRP Ledger (XRPL) Account
    • How to disable the Master key
    • How to enable the Master Key
    • How to configure biometrics
    • Displaying XRP value
    • How to migrate from Toast Wallet to Xaman
    • Why adding / generating & confirming "Secret Numbers" is not user friendly
    • Page 1
  • Learning more about Xaman
    • 📱Got a new phone?
    • 🪙Supported tokens
    • Adding an Icon/Logo to a Trust Line in Xaman
    • Cashing out your XRP
    • Cashing out with GateHub
    • Adding Euro tokens via GateHub
    • Xaman & the Flare network
    • Xaman & AMM
    • Xaman & Fractal ID
    • Spam on the XRP Ledger
    • How to set the currency
    • How to change your Email Address
    • KYC
    • xApp Publishing
    • How to Get a Token Added to the Xaman Short List
    • Destination tags
    • How to recover a Casinocoin (CSC) account
    • GateHub’s issued tokens
    • How to send SGB to BiFrost
    • Taxes and your XRPL/Xahau accounts
    • How to reset the 6 digit passcode
    • Resetting the (account) signing password
    • Deleting an XRPL account
    • Official communication channels
    • NFTs
      • NFT Burn Process
    • Does Xaman offer Staking?
    • I've been scammed!
    • How to take a screenshot
    • Moving your XRPL account to another wallet
    • Feeling Generous?
    • How to access Testnet on XRP Ledger
  • Configuring Xaman
    • Understanding the Settings Options
      • How to take a screenshot
      • Events screen
      • Security screen
      • How to post a Session Log
      • Third party apps
  • XAMAN (TANGEM) CARDS
    • All about Xaman (Tangem) cards
    • Getting started with your new cards 🤗
    • How to configure a backup signing account
    • Creating a pin on your card
    • Best Security Practices Using the Xaman (Tangem) Cards
    • Lost or damaged cards
    • How safe is a card?
    • How to link an existing account to a Xaman card
  • ALL ABOUT XAPPS
    • Xaman xApps
      • Account Worth
      • Account Merge
      • Vanity Address xApp
      • Get Cards
      • DEX Trade
        • The price difference between selling and buying is too high
      • Path Finding
      • Xumm Pro Beta
      • Buy/Sell XRP
    • XRPL Services
      • Token Trasher
        • How to remove a Trust Line
        • How to get rid of tokens
      • Escrow creator
        • How to release an escrow
      • Token creator
      • Xahau Import
    • XRP Community
      • Trust in the XRPL Community
      • CasinoCoin Lobby
      • XRP Ledger TipBot
      • UniSpend
      • Transaction Exporter
      • Gatehub Trade
      • Stably xApp
    • Xahau xApps
      • Balance Adjustment
      • XAH Teleport
      • Voucher
  • Xaman Pro
    • 😎What is Xaman Pro?
    • How to subscribe to Xaman Pro
    • Features of Pro
      • Profiles
        • All about Profiles
        • What is PayString?
        • Setting up your Xaman Profile
      • Push notifications
      • Accounts
      • Xaman App early access
      • Free Tangem Card
      • Premium Support
      • Vanity addresses
  • Security and Xaman
    • All About Security
      • How secure is Xaman?
      • Has Xaman been audited?
      • Upgrading your encryption
      • Xaman (Tangem) Cards
      • 2FA and Xaman
      • Account present on another device
      • Quantum Attacks and Xaman
  • XRP Ledger resources
    • XRP Ledger Concepts
      • Video: Reserves and Fees on the XRPL
      • About Reserves
      • Payment Channels
      • Multi Signature
      • Understanding fiat currencies
  • Release notes
    • Current release
    • Previous releases
      • 😎Updating to Xaman v2.8.2!
      • Xaman v2.8
      • Xaman v2.6 (Formerly Xumm)
      • Xumm v2.5
      • 🥳Updating to Xumm v2.5!
      • Updating to Xumm v2.4
      • Xumm v2.4
      • Xumm v2.3.1
      • Xumm v2.3.0
      • Xumm v2.2.8
      • Xumm v2.2.6
      • Xumm v2.2.5
      • Xumm v2.2.3 / v2.2.4
      • Xumm v2.21
      • Xumm v2.0
      • Xumm v1.0.0
      • Xumm v0.6.0
      • Xumm v0.5.2
      • Xumm v0.5.1
  • About Xaman & XRPL Labs
    • About XRPL Labs
    • 👨‍👩‍👧‍👧The XRPL Labs/Xaman team
      • 📺Team: Ali, Satish & Koen
      • 📺Team: Richard & Tristan
      • 📺Team: Chris & Alex
      • 📺Team: Tom & Kevin
      • 📺Team: Dominique & Dirk Jan
      • 📺Team: Patrick & Will
      • 📺Team: Mai
      • 📺Team: Denis & Robert
    • Xaman vs. Ripple
    • Privacy Statement
    • Terms of Service
    • Responsible Disclosure Policy
    • Switching from Ledger to Xaman
  • Xahau
    • Activating a Xahau account
      • Activating an XRPL account on Xahau
      • Activating a Xumm card account on Xahau
      • Activating a Vanity Account on Xahau
      • How to send XAH from GateHub
      • How to send XAH from Bitrue
      • Via another Xahau account
    • Understanding the XAH token on the XRP Ledger
    • Understanding Reserves on Xahau
    • Understanding Trust Lines on Xahau
    • How to create a XAH Trust Line in your XRPL account
    • How to create a Trust Line (Xahau)
    • How to create an Evernode Trust Line
    • How to trade XAH coins
    • How to Rekey a Xahau account
    • How to trade Evernode (Evr) tokens
    • How to send XAH to GateHub
      • How to send XAH Tokens to GateHub - Hosted account
      • How to send XAH Tokens to GateHub - Self Custodial account
      • How to send XAH coins to GateHub - Hosted account
      • How to send XAH coins to Gatehub - Self Custodial account
Powered by GitBook
On this page
  • What is 2FA?
  • Are there different types of 2FA?
  • The XRP Ledger and 2FA
  • Xaman uses "4FA"
  • Problems with 2FA
  • Ok, what do you recommend I do then?

Was this helpful?

Export as PDF
  1. Security and Xaman
  2. All About Security

2FA and Xaman

Understanding Two-factor authentication (2FA)

What is 2FA?

Two-factor authentication (2FA) is a security process in which users provide two different authentication factors to verify themselves. Two-factor authentication provides a higher level of security than single-factor authentication (SFA), in which the user provides only one factor -- typically, a password or passcode.

Are there different types of 2FA?

Some 2FA methods are:

  • OTP (one time passcode) over SMS

  • Out of Band SMS

  • Google Authenticator

  • Mobile Authentication

  • Push Notification

  • Soft Token

  • OTP (one time passcode) over Email

  • Out of band email

  • Display Hardware token

  • Yubikey hardware token

  • Security Questions

  • Phone verification

  • Voice verification

The XRP Ledger and 2FA

2FA relies on a “shared secret”.

For example, when Google asks you to enter a 6 digit code to access your account, you and Google have a shared secret that is used to “derive” these codes.

The trick is that the secret is never sent, only the codes are. So an attacker can’t get the secret and they can’t generate the code.

This works great on a centralized system like Google but it does not work so well on the XRP Ledger since there is no place to store a “shared secret” on the XRPL. In order to implement 2FA, the XRPL would need to implement a centralized, 3rd party system to "control" access. This does not make sense on a public, decentralized blockchain. (Adding a centralized system on a decentralized blockchain.)

You might think that multi-signing accomplishes the same thing as 2FA in that you could require 2 or more signers to submit a transaction, but that only simulates 2FA, and even then, only if you sign with two separate devices that are not in the same location.

Xaman uses "4FA"

Consider the following requirements to get access to your XRP Ledger account managed with Xaman:

1) physical access to your phone

2) some way to unlock your phone

3) some way to access Xaman (could be the same as #2, e.g. FaceID / Fingerprint, passcode)

4) some way to sign transactions on your account (optional extra security using a configured password)

We can not control the first two options. You are responsible for your phone and keeping it safe. You are also responsible for creating a secure password to unlock your phone.

However, let's say that someone has acquired your phone and somehow circumvented your password and now has full access to it.

An attacker launches Xaman and tries to hack your 6 digit passcode. Six digits is only 999,999 possible combinations, (000000, 000001, 000002 -> 999997, 999998, 999999), so they start entering various passcodes at a rate of 1 one passcode per second and about 11 days later they have tried all of the possible combinations... except for one small countermeasure we implemented. We have configured Xaman to only allow 5 attempts before the app starts to add time to the next attempt. After the ninth wrong entry, Xaman requires a delay of 2 hours to input again. That means 12 attempts per day. Now instead of 11 days to try all of the possible combinations, it would take about 83,332 days to try them all... Or about 228 years.

However, let's say someone manages to guess your 6 digit passcode in under 228 years, now they have to figure out your signing password. Honestly, how hard can that really be right? Well, we set the limit for the number of characters you can make your password to a mere 2,091,752 terabytes. In other words, you could make your password so long, it would take up all of the storage space on your 512GB phone and about 4 million other 512GB phones before you ran out of space to store it.

Provided you selected a strong signing password, this could take awhile to guess.

Problems with 2FA

2FA only works when:

  • You have a centralized system (Google, Twitter, Exchanges, name it)

  • You are registered and need to login (via email / user name)

This only makes sense if the access password is on a separate device, ie. NOT on your smartphone. If your receive your 2FA password via SMS on your phone, 2FA won't help. The main weakness here is the dependency on the service provider. Even without access to your phone, if your 2FA password is delivered via SMS, all someone needs to do is get access to your phone number. This is easier than you might think. Xaman does not have any of these issues.

Ok, what do you recommend I do then?

XRP Ledger accounts created using Xaman are already incredibly safe but we certainly understand the desire maximize the security of your account. That is why we partnered with Tangem to create a hardware wallet to our specifications: the Xumm (Tangem) card.

If you are interested in learning more about the cards, check out this article:

PreviousXaman (Tangem) CardsNextAccount present on another device

Last updated 11 months ago

Was this helpful?

Unlike other hardware wallets, a Xumm (Tangem) card is light, fits easily into a physical wallet or purse and interfaces with Xaman to make it convenient and easy to use. The card contains a security chip and uses NFC () to interact with your mobile device. The chip generates an account secret for an XRPL / Xahau account, while being powered using NFC (by your iOS/Android device). This means the cards are shipped without an account secret on them, and can only be generated on the card, by the owner of the card. The chip used in Xumm (Tangem) cards offers bank grade security and have been fully audited.

near field communication
Cover

All about Xumm (Tangem) cards