How to set up and use wallet 2FA for transactions

Wallet 2FA in Vaultr is a transaction-signing safeguard that is fully independent of your login. Every sensitive wallet action issues a 64-byte one-time challenge (stored in Redis for 30 seconds) that you clear with a 6-digit OTP or a biometric signature from your registered device, producing a one-time-use JWT valid for 30 seconds. It is signed with its own key, so a stolen login session cannot move your funds.

Vaultr separates two ideas most apps merge: logging in, and authorizing money movement. Wallet 2FA governs the second. This article explains how it works and how to use it.

Why does Vaultr have a separate wallet 2FA?

Most wallets protect login and assume an unlocked session can do anything. Vaultr does not. Wallet 2FA is independent of login and is signed with its own key, separate from your login session.

The result: even if an attacker captures an active session, they still cannot send, swap, bridge, or release escrow without satisfying a fresh wallet-2FA challenge.

How does the wallet 2FA challenge work?

When you attempt a protected action, Vaultr generates a 64-byte one-time challenge and stores it in Redis with a 30-second TTL.

You then prove identity using one of two methods:

• OTP: a 6-digit code that is SHA-256 hashed and compared using a timing-safe comparison. It is valid for a 5-minute window, allows a maximum of 5 attempts, and triggers a 30-minute lockout if exceeded.
• Biometric: an HMAC signature generated from your registered device.

When verification succeeds, Vaultr issues a one-time-use JWT valid for 30 seconds, which is consumed atomically in Redis so it cannot be replayed. The short TTLs and atomic consumption are what make replay attacks impractical.

How do I use wallet 2FA when sending?

Wallet 2FA fits into the standard send flow:

1. Choose the token.
2. Enter the amount.
3. Enter the recipient.