Context:
While testing Liana Wallet v14 RC, I noticed that wallets using a locally stored hot key (BIP39) can be accessed without requiring a password at application startup or before signing.
⚠️ Problem
For wallets using a hot key stored on the same device, there is no additional authentication layer before accessing or signing transactions.
This creates risks in scenarios such as:
- Unauthorized access to the device
- Malware or session hijacking
- Shared computers
Proposed Improvement: Add optional password protection layer when:
- Opening the wallet
- Or before signing transactions
Option 1 (recommended): Password required on app launch if hot key is present
Option 2: Password required only when signing
Option 3 (advanced):
- Configurable:
- Unlock wallet (view only)
- Require password for signing
Security Considerations:
This does NOT replace, but adds a practical local protection layer for hot wallets.
Context:
While testing Liana Wallet v14 RC, I noticed that wallets using a locally stored hot key (BIP39) can be accessed without requiring a password at application startup or before signing.
For wallets using a hot key stored on the same device, there is no additional authentication layer before accessing or signing transactions.
This creates risks in scenarios such as:
Proposed Improvement: Add optional password protection layer when:
Option 1 (recommended): Password required on app launch if hot key is present
Option 2: Password required only when signing
Option 3 (advanced):
Security Considerations:
This does NOT replace, but adds a practical local protection layer for hot wallets.