Inputs.io: a high-security bitcoin web wallet?
UPDATE: Inputs.io is now closed after being hacked.
A number of bitcoiners have become rather disenchanted with their web wallets recently, what with a bug in Blockchain.info’s web wallet leading to the theft of around 50 bitcoins. On top of this, Android discovered a flaw that rendered generated bitcoin addresses unsafe.
With these events in mind, people are now more security conscious than ever. We've been taking a look at web wallet Inputs.io, which comes with a reassuring set of security features, to see whether it's what those in the bitcoin community are looking for.
While Inputs.io lacks a mobile app, it presents a clean-looking responsive design, which means it can reformat to fit any screen size, making it ideal for smartphone displays. The site's pop-up QR codes are also mobile-friendly as they allow for quick scanning by a secondary device. Developers should also note that Inputs.io offers API access for third parties.
As with other web wallets, Inputs.io gives you an overview of your account, along with dedicated pages for sending and receiving bitcoin (the wallet is currently bitcoin-only). Fortunately, the wallet discriminates between confirmed and unconfirmed funds, so you can determine whether or not your transactions are complete.
The receiving page of the Inputs.io website also states:
"We automatically mix your bitcoins to protect your privacy. This means that the balances on each address will be incorrect as seen from block explorers."
Inputs.io has put so much effort into authentication on the site that the casual user would be forgiven for being a little overwhelmed at everything they have to remember. In addition to a username and password, there's a PIN for authorising payments. Also there's a recovery key that is required when resetting the password and/or PIN. It's essential that this is not lost or your account cannot be recovered.
You can also use an additional layer of protection – a GPG fingerprint. If you activate this feature, you will be required to decrypt a piece of text as part of the login procedure.
In addition to the "Something you know" basic authentication factor, you can enable two-factor authentication using "Something you have". This involves the use of the Google Authenticator system. There's an Android app for this and there's even a compatible app on Windows Phones.
The overview page also gives you a short-URL to your user account, eg 1v.oi/username. The use of this is unclear given that there's no public-facing part of an Inputs.io account.
An additional unique feature offered by the site is embeddable payment buttons. Very similar to what you would find with PayPal and Flattr, where you can put a donation link, for instance, on your blog.
There is also an option to "swipe" private keys into your account, however, there's no apparent option to export or reveal the private key of an Inputs.io wallet. I was disappointed by this, but you can always withdraw your funds at least.
Overall, Inputs.io makes a very convincing wallet option. As noted, I'd like to see mobile apps and private key export, but as it is, it works very well. It's effectively free to use too, a fee of 0.0005 BTC is charged for outgoing transactions, which is there to cover "Bitcoin network fees, as well as other costs such as email sending, and additional wallet size created".
What do you make of Inputs.io? Let us know in the comments.
Could deflation cause problems for bitcoin?
Avalon's ASIC customers offered bitcoin refunds due to...