Closed Bosch-0 closed 2 years ago
Add content around hiding home screen balances: https://github.com/BitcoinDesign/Guide/issues/578
For these revision pages the images should also be generally updated:
I would not remove the grey area. I remember trying this a while back and it not looking good. IIRC, it had something to do with CSS shadows working best with rounded rectangles and it looking goofy on this more complex shape.
Second thing is that it's a mess to deal with in Figma because you need to set up a mask for every screen, which is problematic with fixed-position elements like the top bar and the home indicator bar. Requires you to wrap the whole screen design in another frame, just for the mask.
The whole part about "Hiding sensitive information" should be moved to the Wallet privacy page.
Information about watchtowers will be added to this page in #798.
The security checklist paragraph can be made more specific to lightning (watchtowers, rename key backup to backup as it will also include channel data). We can move the privacy checklist screen to the privacy page.
My review of this page
Security & privacy checklists section
Reminders & recommendations section
Preventing unwanted access section
Blocking critical activity section section
Hiding Sensitive Information section
Content to add
Anything else? I imagine more LSP stuff may be necessary but this is my thoughts for now.
Phew, that's a long list. Nice and thorough.
A distinction to consider would be security stuff related to the particular technical specs of the product vs user action.
Info around backing up channel states (LSP option, automatic cloud, manual)
@Bosch-0 better suited for the backup section, perhaps? Sounds like overlapping content.
Not sure how often you are incapacitated, but that doesn't seem like a broad concern.
@GBKS I think that "how often are you incapacitated?" is the wrong question to ask. The correct question to ask is "if you are incapacitated, what damage is an attacker capable of?" In fancier words, the risk calculation has more than one variable. It's not just "probability of X occurring", it's also "value of damage inflicted if X happened to occur". Both of these variables must be weighed for one to make a risk assessment.
that doesn't seem like a broad concern
Correct, it's not a broad concern for most people. Maybe that's the problem we're trying to solve for.
However, I agree that perhaps the biometric convenience may be a reasonable trade-off for a certain amount of funds. If that's the case, maybe we should talk about that? Let's talk about putting spend limits for biometrics in this section of the Guide.
I'd just consider that the app operates in in the context of smartphone security. An attacker still has to be able to unlock the phone in the first place, which the user can make as hard as they want. Also, Face ID on iOS does check for attention, meaning a users eyes have to be open and looking at the screen. There seems to be support on at least some Android devices.
@Bosch-0 better suited for the backup section
Yeah would be better there
I think biometrics are just fine for the daily spending wallet that is not supposed to hold large amounts of funds.
It's too hard to define what is and isn't a large piece of value to someone.
Biometric data is not as secure or private like a PIN or password is, they should not be safeguarding a bearer asset like bitcoin. It goes against our privacy principle imo. https://www.ipswitch.com/blog/3-reasons-biometrics-are-not-secure
Biometrics also mean dummy accounts are not possible - you can't have two faces! You need to be using a PIN / password / pattern for this.
I'd just consider that the app operates in in the context of smartphone security.
Bitcoin storage warrants higher security than a smartphone.
I agree with the comments that using biometric for a spending wallet/small amounts is perfectly fine. Reasonable defaults can be made and certain UIs will allow users to adjust the threshold.
Also the Block wallet will have a biometric fingerprint sensor on the hardware device which is intended for storing savings. A thief would need to obtain a person's phone, break into the location storing their hardware wallet, and compromise the authentication of both devices.
While biometric sensors have risks they have benefits too. They improve availability in case a user forgets their PIN (and thus losing their funds). This is probably far more likely than a physical theft.
IMO the design guide should not be as extreme as recommending to never use biometrics but instead describe the tradeoffs.
The current
Security
page inDaily spending wallet
is more of a general overview of wallet security and isn't specific to a daily spending wallet. We should make the content of the page specific to daily spending wallets and add some UI designs illustrating the concepts.Some of the more general content may be more suited for a
Security
page in theHow it works
section which covers the technology / general considerations outside of specific contexts like a daily spending wallet. Though this is an issue for another time.Page: https://bitcoin.design/guide/daily-spending-wallet/security/