Over the past weeks, the growth of XLM in price has also resulted in a growth in the number of Saza users and this has been good for the community. I have received various request for additional features on Saza. Today I will like to share some of the features I have been working on you. Introduction of a transaction passphrase This is a string chosen by the user to verify all its transactions. Note that this is different from the user password. Also this string is used to encrypt the secret key of an account before it is sent to the server for storage. As such the server never knows the real value of the secret key just the encrypted version. When you need to sign a transaction, the server sends the encrypted secret key, it is decrypted with the transaction passphrase and the secret key is used to sign the transaction. Signing of transactions in the browser Users have not been too comfortable with the transactions being signed on the server. Hence, I have totally rewritten the wallet and glad to announce that the new version of Saza will sign all its transactions in the browser. Once the transaction is signed, it is converted to an XDR string and this is sent to the server for submission to the network. 2-Factor Authentication You can now enable 2FA from the settings menu. It uses time based one-time passwords as tokens and these can be generated by syncing your device with the secret key provided using apps like Google Authenticator, Duo Security, Authy, etc. To enable 2FA, go to Settings > Enable 2FA Click on Enable to generate a secret Scan the QR code or enter the secret shown into your app Authenticate the token for the first time to activate. Once activated, all transactions will require the token before it is approved. Create Assets For users new to Stellar assets can be a bit confusing to wrap your head around. Especially how an asset/token is created. Now you can easily create your asset using Saza using a simple form. This was inspired by Jed's article on token creation. Test site: Saza wallet now has a test version. https://test.saza.com.ng https://test.saza.io It is exactly the same as the main site but all operations are on the test network. If you are already registered on the main site, you can login to the test site using the same credentials. Database has been reset so you will need to create an account NOTE: all the features mentioned above are currently being tested and are only available on the test site https://test.saza.com.ng https://test.saza.io for now. UPDATE All features also now available on the main site: https://saza.io 2FA also included in login process once enabled, account information will not be returned by the server except a valid token is provided. Thanks to @dzham for this suggestion. Added documentation: https://saza.io/faq.html New Domain: https://saza.io The old domain is redirected to this new one so federation requests should still work but will suggest that users using Saza federation should change their home domains to saza.io sooner rather than later

Saza Wallet Updates

kratos_ng

Over the past weeks, the growth of XLM in price has also resulted in a growth in the number of Saza users and this has been good for the community. I have received various request for additional features on Saza. Today I will like to share some of the features I have been working on you.

Introduction of a transaction passphrase
This is a string chosen by the user to verify all its transactions. Note that this is different from the user password. Also this string is used to encrypt the secret key of an account before it is sent to the server for storage. As such the server never knows the real value of the secret key just the encrypted version. When you need to sign a transaction, the server sends the encrypted secret key, it is decrypted with the transaction passphrase and the secret key is used to sign the transaction.
Signing of transactions in the browser

Users have not been too comfortable with the transactions being signed on the server. Hence, I have totally rewritten the wallet and glad to announce that the new version of Saza will sign all its transactions in the browser. Once the transaction is signed, it is converted to an XDR string and this is sent to the server for submission to the network.

2-Factor Authentication

You can now enable 2FA from the settings menu. It uses time based one-time passwords as tokens and these can be generated by syncing your device with the secret key provided using apps like Google Authenticator, Duo Security, Authy, etc. To enable 2FA,

go to Settings > Enable 2FA
Click on Enable to generate a secret
Scan the QR code or enter the secret shown into your app
Authenticate the token for the first time to activate.

Once activated, all transactions will require the token before it is approved.

Create Assets

For users new to Stellar assets can be a bit confusing to wrap your head around. Especially how an asset/token is created. Now you can easily create your asset using Saza using a simple form.
This was inspired by Jed's article on token creation.

Test site:
Saza wallet now has a test version. ~~https://test.saza.com.ng~~ https://test.saza.io
It is exactly the same as the main site but all operations are on the test network. ~~If you are already registered on the main site, you can login to the test site using the same credentials.~~
Database has been reset so you will need to create an account

NOTE: all the features mentioned above are currently being tested and are only available on the test site ~~https://test.saza.com.ng~~ https://test.saza.io for now.

UPDATE

All features also now available on the main site: https://saza.io
2FA also included in login process once enabled, account information will not be returned by the server except a valid token is provided. Thanks to @dzham for this suggestion.
Added documentation: https://saza.io/faq.html
New Domain: https://saza.io The old domain is redirected to this new one so federation requests should still work but will suggest that users using Saza federation should change their home domains to saza.io sooner rather than later

dzham

How do you do 2FA in a meaningful way in combination w/ in-browser signing?

kratos_ng

dzham Though the transaction is signed in the browser, It is submitted on the server.
So after it is signed, It is sent back to the server as an XDR string. If 2FA is enabled on the account, the server checks that it request has a valid OTP before submitting the transaction to the network.

dzham

What I mean with meaningful is in a way that's not just security theater.

What the original stellar.org web wallet did was meaningful. They hosted the encrypted private key, and if you didn't submit the correct 2FA response, they didn't even send it back to you. Username/password + 2FA

If you have the private key already, you can submit transactions, and the network won't stop you.

You can make 2FA on submits by adding a second signer that only signs if provided the correct 2FA response, but then you might as well just use a 2-of-2 multi-sig account.

kratos_ng

@dzham
Having 2FA as part of the login process is currently what I'm working on, so keys are not sent to the user if 2FA fails just as you described above. Regardless, the secret keys are encrypted with keys derived from PBKDF2 so the user still needs the password used in deriving the encryption key before they can sign transactions with the secret keys.

Agreed a multisig account will be more "secure" but I don't think it's the place of wallet to place such a restriction on the account. The owner of the account should be able to perform transactions outside the wallet if they so choose.

I think it might be best to advise the user on the benefits of a multisig account. They can have an account used just for signing and they keep that secret offline. When it is time to authorise a transaction, they can add the extra signer.

Maybe I can add that to the transaction forms; a place to enter extra keys required for signing.
thanks for the feedback... keep 'em coming ?

sacarlson

failed all methods of login on https://test.saza.com.ng/. first tried Oauth google failed, github failed others also tried and failed. so attempted create a new account with email. got link to activate it on my email but when I attempt to login I get image bellow. Also attempted to reset password failed. got the reset link in my email but the link only took me to the create login screen that again could not work.

https://stellar-public.slack.com/files/sacarlson/F66ULK401/screenshot_at_2017-07-12_14-07-20.png

fail image page

kratos_ng

sacarlson Thanks for testing this out, will have a look when I get the chance. I suspect github and twitter OAuth is failing because you cant specify multiple callback urls for either service and they are already linked to the main saza version. Google shouldnt fail though so will investigate that and the reset password feature more.

kratos_ng

Login issues should be fixed now. I reset the DB so you will have to create an account again. This way we can be sure that the login process is okay.
Site URL: https://test.saza.io
cc: sacarlson andre

andre

Hi, tried to login with email account, got verification email, did verification, tried to login but get invalid credentials. Would like to see more of this wallet....

kratos_ng

All features now on main site; https://saza.io
See updates in first post.

rafal

Hello!

This is very nice wallet, I love the fact that you can do each stellar operation on it (in the Account Operations submenu).

I also have a few suggestions for https://test.saza.io to make it better:
1. I think it would be better to put more emphasis on "Make a Payment" and "Send Lumens to email" actions. Currently these are just put with everything in the left panel (and even under "Create asset", which I think would be used very rarely), but I think these are most important ones. Maybe these need a big buttons on top of the page?
2. There are some small layout issues, fixing them would improve overall feel of the application - for example on Transactions page I have two "Show [x] entries" rows and two "Showing 1 to 1 of 1 entries" below the table with transactions.
3. I tried to change trust on one of my accounts, and I cannot just click row in "Trustlines" table on https://test.saza.io/change-trust page to get it to fill form on the right, this would make good UX to enable that.

Keep up the good work!

kratos_ng

rafal Hey, thanks for the feedback. Yes I do agree that those actions do require some more emphasis.
Just noticed the transactions issue, thanks for pointing that out.

I had actually thought about the action you described for the "change trust" and even "add anchors" pages, I agree it will be cool.
Will definitely add these to my to do and work on them in my spare time.