Authentication for fund transfer (Current security flaw)

Dear Dfinity Team,

I hope this message finds you well.

I would like to raise a concern regarding the current security model in the Network Nervous System (NNS) and other wallets on the Internet Computer. As it stands, no authentication is required for transferring funds between accounts, which may leave users vulnerable.

If a malicious actor—such as a hacker or thief—gains access to a user’s device while they are logged into the NNS or other apps like Oisy or ICS, there is currently no additional layer of authentication needed to authorize a fund transfer. This could lead to unauthorized transactions and significant losses.

To mitigate this risk, I would like to propose that Dfinity consider implementing an option for users to enable additional authentication for fund transfers. A solution like a passkey or at least a PIN, similar to what OpenChat has implemented, would provide an added layer of security and peace of mind for users.

I believe this would enhance the overall security of the platform and protect users’ assets from potential threats. I appreciate your consideration of this suggestion and look forward to hearing your thoughts on this matter.

As a pioneer of web3, if Internet computing really grows up, the wealth of SSN processing will be huge, and security must be the primary consideration. Similar to the current BTC, BTC only has payment and storage functions, which supports a huge market value. Although ICP does not focus on payment and storage functions, this basic feature is essential. Therefore, security is also of utmost importance. Otherwise, which institution can invest a large amount of funds in IC’s network?
This security issue has not been the focus of the Internet Computer Foundation, but it is no longer a concern of one person. Hope the above proposal is adopted and can be emphasized and strengthened.