Correctly configuring your security settings

December 2018

Written by [name] (job)

Xiphos has a lot of important security settings. These security settings are not a necessity, and some people would rather not audit them at all. The security settings can restrict on which devices your account can be accessed from. This can be nauseating for some people, but using our security settings can make it harder for other people to access your account and thus are important to take a look at.
All of these following explanations apply to the setting that can be found /settings within the security settings tab.
Initial login
Upon opening your security tab, you will find that there are two sliders. These are for the devices that log in. There are three types of devices, unknown devices, low scoring devices and confirmed devices. When a device logs in, it will be given a hash defined by its identity, ability to authenticate and user defined settings. These scores will compared to the devices that are known to us and from that a score will be determent. Through this score the device category will be defined and the user defined authentication method will be requested from the client.
Trusted devices that score high enough will not be asked the extra authentication method.
Low-scoring devices will be requested to “mildly” extra authenticate their identity. And, after the authentication was successful, will be modified in our database.
Unknown devices will be asked to confirm their identity firmly, and afterwards will be added to your security settings list.
All these settings can be tweaked to be even firmer, or milder with the two sliders on the top.
The levels of security are defined from mild to firm (i.e. ask for password is the least secure and deny is the most secure).
Security sliders
The following extra security measures can also be defined:
Ask password /Nothing — do not take any action, apart from the defaults
Ask E-mail (and username) — ask to confirm both e-mail and username
Ask Security question(s) — ask the by user defined security questions
Confirm 2fa (Email) — confirm by 2-factor-authentication with the user given email address
For unknown devices the password is always requested, even if you have auto-login enabled. Low-scoring devices are treated the same as high-scoring devices, after they have successfully identified themselves with the user-specified security method.
Device global and specific settings
After a device is authenticated and added to our system, it will be visible in the device list. Here you can also find what kind of device it is (e.g the operating system and version), all the different browsers it has logged in with and when the device was last logged in.
Device settings for global devices
After a devices score is detirmed, checked and trusted. The device will go through the Device options wherein a couple of options can be determent to make logging in easier or harder.
Device settings for a specific device
These can also be defined specific to every device by clicking on the gears and checking custom settings.

Within the settings of the specific device, you can also choose to ban that device from logging in to your account. This will deny their access to your account regardless of their location, authentication score or browser.
The other settings that can be defined are as followed:
Auto-login — disposes the need for a password upon a trusted device.
Remember me — will not deteriorate your session after a certain time
Two-factor (mobile) — will require you to authenticate via a 2 factor authentication (toke) with a mobile application (E.g. google authenticate)
Require location — Will require you to send a API location answer directly from your device.*
*require location can only be enabled on a global scale due to usefulness of the function. This is also disabled by default in regards of the AVG security and privacy rules and must be enabled by the user.
We want your cryptocurrency to be as secure as possible, whilst still keeping the easy usage for everyone in mind. That is why we have adopted this system satisfying both the security heavy fanatics and simple traders. We hope you can fine-tune your line of security measurement and if there are any further questions, start a thread!