Board index Bitcoin Qt Bitcoin Trader Secure API keys transfer without user interaction method.

Secure API keys transfer without user interaction method.

Qt Bitcoin Trader is open source application that helps you open and cancel BTC-e, Bitstamp, BTCChina, Bitfinex, GOC.io orders very fast. Real time data monitoring.


Posts: 11
Location: Ukraine

Russian

There is a problem with any bot that uses API keys for new users.
It is usual for users enter login and password on websites, but API key is something unusual for them.

To start trading on exchange using web interface user should do this steps (required):

1) Register on exchange website
2) Confirm email address
3) Login and trade via web interface

To start trading on Qt Bitcoin Trading user should do this steps:

1) Login to exchange website.
2) Find section where he can get new API keys (unique for each exchange).
3) Generate new API keys, define rights.
4) Open Qt Bitcoin Trader and chose exchange.
5) Copy this API keys to Qt Bitcoin Trader.
6) Create Qt Bitcoin Trader profile.

I want to make this process much more easier. It very important to keep secure data transfer and don't use exchange account password at all.

Using new method users will need to do following steps:

1) Open Qt Bitcoin Trader and chose exchange
2) Enter exchange login/email and create Qt Bitcoin Trader profile password.
3) Click on email url that received shortly

Profs

1) User will need to bypass only 3 simple steps instead of 6 complicated.
2) In fact we trust that user was authenticated to email using secure password, so it not required to make more validations.
3) Exchange password is never used and not entered, it means it can't be stolen.
4) There is no chance to make fake exchange page and steal API keys.
5) API keys was not copied to client clipboard, wasn't entered on keyboard, and can't be stolen or captured.
6) Exchange is not required to change existing API server.

Cons

1) Exchange should start additional API server.

More details. How it works?

When user enter exchange email and press create Qt Bitcoin Trader profile than application connecting to API specially designed for Qt Bitcoin Trader and send request to create new temporary API keys, it receive API keys immediately.
This api keys stays suspended until email confirmation for 24 hours, than deleted.
If user start Qt Bitcoin Trader profile without email confirmation warning will be displayed.
If there was more than 1 request per hour from single IP address, than while sending email to exchange, exchange tell app to view captcha.
After clicking on email link, exchange website with special page should be open and display time and IP address of client who sent API keys validation request and one more confirmation button.
Once email confirmation done, API keys and Qt Bitcoin Trader become works.

Exchange should create one more API server that will hold all temporary API keys and send email validation url.
Once email url clicked and verified, API server should send API keys to main server and activate this API keys.

Return to Qt Bitcoin Trader

cron