-
@ milo
2025-04-17 20:18:19This is my second article. I find the idea of using a user friendly 2FA-style code on a secondary device really fascinating.
I have to admit, I don’t fully grasp all the technical details behind it—but nonetheless, I wanted to share the idea as it came to mind. Maybe it is technical nonsense...
So here it is—feel free to tear the idea apart and challenge it! :)
Idea
This Article describes method for passphrase validation and wallet access control in Bitcoin software wallets using a block-based Time-based One-Time Password (TOTP) mechanism. Unlike traditional TOTP systems, this approach leverages blockchain data—specifically, Bitcoin block height and block hash—combined with a securely stored secret to derive a dynamic 6-digit validation code. The system enables user-friendly, secure access to a wallet without directly exposing or requiring the user to memorize a fixed passphrase.
1. Introduction
Secure access to Bitcoin wallets often involves a mnemonic seed and an optional passphrase. However, passphrases can be difficult for users to manage securely. This paper introduces a system where a passphrase is encrypted locally and can only be decrypted upon validation of a 6-digit code generated from blockchain metadata. A mobile app, acting as a secure TOTP generator, supplies the user with this code.
2. System Components
2.1 Fixed Passphrase
A strong, high-entropy passphrase is generated once during wallet creation. It is never exposed to the user but is instead encrypted and stored locally on the desktop system (eg. bitbox02 - sparrow wallet).
2.2 Mobile App
The mobile app securely stores the shared secret (passphrase) and generates a 6-digit code using: - The current Bitcoin block height - The corresponding block hash - A fixed internal secret (stored in Secure Enclave or Android Keystore)
Offline App - current block_hash and block_height scanned with qr code.6-digit code generation after scanning the information.
2.3 Decryption and Validation
On the desktop (e.g. in Sparrow Wallet or wrapper script), the user inputs the 6-digit code. The software fetches current block data (block_height, block_hash), recreates the decryption key using the same HMAC derivation as the mobile app, and decrypts the locally stored passphrase. If successful, the wallet is unlocked.
3. Workflow
- Wallet is created with a strong passphrase.
- Passphrase is encrypted using a key derived from the initial block hash + block height + secret.
- User installs mobile app and shares the fixed secret securely.
- On wallet access:
- User retrieves current code from the app.
- Enters it into Sparrow or a CLI prompt.
- Wallet software reconstructs the key, decrypts the passphrase.
- If valid, the wallet is opened.
4. Security Properties
- Two-Factor Protection: Combines device possession and blockchain-derived time-based data.
- Replay Resistance: Codes change with every block (~10 min cycle).
- Minimal Attack Surface: Passphrase never typed or copied.
- Hardware-Backed Secrets: Mobile app secret stored in non-exportable secure hardware.
5. Future Work
- Direct integration into Bitcoin wallet GUIs (e.g. Sparrow plugin)
- QR-based sync between mobile and desktop
- Support for multiple wallets or contexts
6. Conclusion
This approach provides a balance between security and usability for Bitcoin wallet users by abstracting away fixed passphrases and leveraging the immutability and regularity of the Bitcoin blockchain. It is a highly adaptable concept for enterprise or personal use cases seeking to improve wallet access security without introducing user friction.