Our Security

Our addresses require at upto 5 signatures for every withdrawal: one of ours, and upto 4 of yours. Simply put: we do not have access to your coins.

This section tells you how we approach our systems' and users' safety, and provides guidelines for you to follow.

Distributed Trust: Customize your security

Our Distributed Trust (dTrust) framework helps you establish custom signature configurations for your addresses. This feature exponentially enhances your system's security compared to the single-signature addresses in general use today.

dTrust lets you add up to 4 keys next to the key we keep, and allows you to set your own signature requirement. You can then keep your keys on different machines, USB-sticks, print them to paper, assign to friends and family, run an escrow service, etc. In a high-security automated environment, you’d send your keys across the globe and store your secrets on different continents.

Moreover, you can use your dTrust addresses without using Block.io.

Basic multi-signature: Keep your coins safe

To withdraw from our basic (default) addresses, 2 keys are needed. Multiple signatures have a number of security benefits over single-signature (regular) addresses.

One key is held by you, to make sure you always sign off on every transaction.

The second key is held by Block.io, which enables us to provide extra security to you through API access restrictions and two-factor authentication.

With our double spend protection (through Green Address functionality) the second key also enables everyone that receives coins from a Block.io Green Address to spend them without having to wait for a large number of confirmations.

How we secure your data

Strong Encryption Standards

We encrypt all user secrets linked to your wallets through a 256-bit AES cipher and 25,000 PBKDF2 hash rounds. This makes cracking a single Secret PIN extremely resource intensive: requiring over 1 million days on state of the art computers today!

Zero Knowledge of your Secrets

We are unaware of your Secret PIN, and cannot recover these even if we tried. Your Secret PIN is never sent over the network.

We minimize use of Secrets

We use Multi-signature wallets built on top of Hierarchical Deterministic wallets (HD wallets), as outlined by the BIP0032 standard, to generate new addresses for your account without ever needing access to old or new addresses' private keys.

Security Best Practices

Our website and API libraries use the up-to-date security standards such as BIP0062, and RFC6979.

Continuity, integrity, and transparency

Backups

Backups of all (encrypted) account data are made to "cloud servers" on 4 continents every hour.

Ongoing Security Audits

We work with over 1,000 security experts to discover hidden security issues before the bad guys do.

Account audits via the Block Chain

All addresses on our system are on-chain and that makes them publicly auditable through third-party Block Explorers. You can always verify your Block.io wallet balances are accurate using a block explorer of your choice.

Always-On Infrastructure

Our entire infrastructure is built to be redundant, eliminating all single points of failure. We target over 99.999% system availability.

Other ways we protect your security

  • Client-side signing

    We provide a growing number of libraries that allow you to sign your transactions yourselves, outside of Block.io. We even help you build your own library in any language of your choice!

  • Third party verification

    The "Green Bar" showing our company name and jurisdiction promises you that you are on Block.io, not an imposter site.

  • No password systems

    None of our systems use passwords for access control, and all our internal systems are isolated from public access.

  • Highly available 24/7

    We target over 99.999% system availability.

What you can do

Being a user-facing service, Block.io needs your help in order to ensure your security. You, as the account owner, are responsible for the safety of your account credentials, including your API key, Secret PIN, and Secret Mnemonic. We recommend you follow these guidelines.

Use two-factor authentication.

We can make sure it's you who's logging into your Wallet by sending a code to your e-mail. You must use this code to login if you have enabled two-factor authentication through your Wallet.

Do not share your secrets.

Your Secret PIN is the key that controls your coins, and your Secret Mnemonic is the only key to reset your Secret PIN in an emergency. You should never, ever share your Secret PIN and Secret Mnemonic with anyone.

Save your secrets offline.

Always store your Secret PIN and Secret Mnemonic in a safe place. Storing them in e-mail accounts or in un-encrypted text files on your computers is definitely not recommended. If you do not know how to secure your Secret PIN and Secret Mnemonic electronically, just write them down on pieces of paper, and remember where you keep these pieces of paper!

Security for Developers

Don't share your API keys

Never give any untrusted party access to your API keys. If they have your API keys, they can impersonate you.

Never save Secrets in your app

Never store your API keys and Secret PINs in application configuration files or check them into version control. Use environment variables to specify this information instead and isolate your application into an exclusive user account.

Leverage Cutting-Edge Security

Use our dTrust framework to exponentially enhance your service's wallet security.

Restrict API access

Always specify IP addresses that can access your account(s) through the API. Do this from your Wallet.

Stay up-to-date

Always ensure you stay up-to-date on security threats in your operating systems and application frameworks. Regularly check for operating system updates.