Our addresses require at upto 5 signatures for every withdrawal: one of ours, and upto 4 of yours. Simply put: we do not have access to your coins.
This section tells you how we approach our systems' and users' safety, and provides guidelines for you to follow.
Our Distributed Trust (dTrust) framework helps you establish custom signature configurations for your addresses. This feature exponentially enhances your system's security compared to the single-signature addresses in general use today.
dTrust lets you add up to 4 keys next to the key we keep, and allows you to set your own signature requirement. You can then keep your keys on different machines, USB-sticks, print them to paper, assign to friends and family, run an escrow service, etc. In a high-security automated environment, you’d send your keys across the globe and store your secrets on different continents.
Moreover, you can use your dTrust addresses without using Block.io.
To withdraw from our basic (default) addresses, 2 keys are needed. Multiple signatures have a number of security benefits over single-signature (regular) addresses.
One key is held by you, to make sure you always sign off on every transaction.
The second key is held by Block.io, which enables us to provide extra security to you through API access restrictions and two-factor authentication.
You should always retain backups of both these keys.
We encrypt all user secrets linked to your wallets through a 256-bit AES cipher and 25,000 PBKDF2 hash rounds. This makes cracking a single Secret PIN extremely resource intensive: requiring over 1 million days on state of the art computers today!
We are unaware of your Secret PIN, and cannot recover these even if we tried. Your Secret PIN is never sent over the network.
We use Multi-signature wallets built on top of Hierarchical Deterministic wallets (HD wallets), as outlined by the BIP0032 standard, to generate new addresses for your account without ever needing access to old or new addresses' private keys.
Our website and API libraries use the up-to-date security standards such as BIP0062, and RFC6979.
Backups of all (encrypted) account data are made to "cloud servers" on 4 continents every hour.
We work with over 1,000 security experts to discover hidden security issues before the bad guys do.
All addresses on our system are on-chain and that makes them publicly auditable through third-party Block Explorers. You can always verify your Block.io wallet balances are accurate using a block explorer of your choice.
Our entire infrastructure is built to be redundant, eliminating all single points of failure. We target over 99.999% system availability.
We provide a growing number of libraries that allow you to sign your transactions yourselves, outside of Block.io. We even help you build your own library in any language of your choice!
The "Green Bar" showing our company name and jurisdiction promises you that you are on Block.io, not an imposter site.
None of our systems use passwords for access control, and all our internal systems are isolated from public access.
We target over 99.999% system availability.
Being a user-facing service, Block.io needs your help in order to ensure your security. You, as the account owner, are responsible for the safety of your account credentials, including your API key, Secret PIN, and Secret Mnemonic. We recommend you follow these guidelines.
We can make sure it's you who's logging into your Wallet by sending a code to your e-mail. You must use this code to login if you have enabled two-factor authentication through your Wallet.
Your Secret PIN is the key that controls your coins, and your Secret Mnemonic is the only key to reset your Secret PIN in an emergency. You should never, ever share your Secret PIN and Secret Mnemonic with anyone.
Always store your Secret PIN and Secret Mnemonic in a safe place. Storing them in e-mail accounts or in un-encrypted text files on your computers is definitely not recommended. If you do not know how to secure your Secret PIN and Secret Mnemonic electronically, just write them down on pieces of paper, and remember where you keep these pieces of paper!
Never give any untrusted party access to your API keys. If they have your API keys, they can impersonate you.
Never store your API keys and Secret PINs in application configuration files or check them into version control. Use environment variables to specify this information instead and isolate your application into an exclusive user account.
Use our dTrust framework to exponentially enhance your service's wallet security.
Always specify IP addresses that can access your account(s) through the API. Do this from your Wallet.
Always ensure you stay up-to-date on security threats in your operating systems and application frameworks. Regularly check for operating system updates.