This could be a huge security issue allowing users to access wallets with private key without logging in; Even though the team is trying to secure a successful token distribution with multi level verification between email and telegram the security issue lies in the fact a users machine could have key loggers, malware, or spyware.
if a machines computer is infected the url and private key is logged recording the exact website the key is used for.
being this secure you don't even have the 2fa working yet and your issuing tokens?
The solution should require user to login and implement 2fa in order to access the web wallet and tokens; this way if a hacker does have the private key at lease he can't access the web wallet without logging in.
Can you please report back on this.. If you lose your coins the team is sure not going to reimburse any token holders.
Two-factor authentication is working, but it's indeed not activated for web wallets. I will address your concern to the team and will get back to you.
According to the security team, there is no need/use to activate two-factor authentication for the wallets. The secret key should be sufficient. I suppose they can't just activate two-factor authentication on the web wallets, as it would require everyone to have a BOScoin account, even exchanges who are creating wallets on the fly.
Right; but until you release your official client where people can store their funds on other than a web wallet, the web wallet should require ALL users initially to login and set with 2fa so they can access web wallet.
Again any machine that has malware and keylogger I wish you the best..