Decentralized exchanges — or more commonly known as DEXs — facilitate the peer-to-peer trading between two parties without a central authority, allowing users to remain as the sole custodian of their funds. However, despite security issues and being vulnerable to exchange hacks, users are still flocking to centralized exchanges because it’s the easiest way to start trading.

Compared to centralized exchanges, onboarding onto a DEX is not intuitive and is often seen as hard to use.

To start trading digital currencies on DEXs, users would have to own or create new wallets to the blockchain they are trading on. This becomes a huge hassle, and possibly daunting, for new users to even get started.

How does Switcheo Account work?

To combat these problems faced by existing DEXs, we created a new feature — Switcheo Account, a simple email and password login system, similar to that of a centralized exchange.

Without requiring a separate blockchain wallet or software, users can trade on all supported chains by simply signing up with their email and password, reducing friction for new users.

How is this non-custodial and decentralized?

With most centralized exchanges, when you send funds to an exchange address, the exchange becomes the custodian of your funds. However, when you send funds to addresses in Switcheo Account, you are sending funds to wallets you fully own, which are tied to your Switcheo Account.

When you create a Switcheo Account, a backup phrase (also known as mnemonic phrase) is generated at random and multiple blockchain wallets are created and tied to your account. With the mnemonic phrase, it is possible to generate the private keys to multiple addresses across different blockchains. Switcheo will never have access to your account.

Only you, the user, will know the words to the mnemonic phrase.

The password that you key in will be used to encrypt your mnemonic phrase. By creating a strong password, this makes it impossible to retrieve your mnemonic phrase from an encrypted mnemonic without knowing your original password.

During account creation, some of your login information will be stored on our server: your password hash, encrypted mnemonic, mnemonic hash and anti-phishing code.

Hashing is a one-way transformation, making it practically impossible to recover the original value from the hashed value (password/mnemonic). Anyone with access to the database will never be able to derive your original password or mnemonic phrase with the stored information.

Thus, you and only you, fully own the wallets that are tied to your Switcheo Account.

How is this secure?

At Switcheo, the security of our exchange and users’ funds has always been of utmost importance to us.

There are multiple layers of security in Switcheo Account to ensure that traders new to cryptocurrency trading will not get compromised. You will need to pass multiple layers of security checks before your encrypted mnemonics (backup phrase / secret key) is revealed to you.

Two-Factor Authentication (2FA)

Users will need to set up Two-Factor Authentication (2FA) before you can start trading. In order to access your encrypted mnemonic, you will need to provide two things: your password and 2FA code.

To prevent your account from being compromised by bad actors, after multiple failed login attempts, you will receive an email informing you of any suspicious activity to your account.

If your password is compromised, with the additional layer of security from setting up your 2FA, this provides you with ample time to withdraw your funds out of your account. The only way to change your 2FA is by providing your mnemonic phrase. This is never sent to our servers but instead, Switcheo verifies the mnemonic hash, and allows you to reset your 2FA.

Anti-Phishing Code

You will be asked to enter an anti-phishing code when you create your account. Since only Switcheo knows your anti-phishing code, you should only trust emails that has the anti-phishing code badge with the exact words that you have entered.

Switcheo will never ask you for any sensitive information, like your password, mnemonic phrase, or 2FA. On top of that, upon logging into the exchange, there is a warning to make sure users are on the right website url with the green secure padlock (https://switcheo.exchange). This helps to prevent phishing sites from stealing the credentials to your account.

Make sure you are on the right website URL.

IP Address Verification

When you verify your email after creating your account, we save your location, IP address, and mark it as trusted. Every time you log into your account, we will verify your location. If it is not trusted, you will need to enter the security code sent to your email before you can log in.

In the event that you have given access to someone else who knows your email, password, and 2FA, he will also need access to your email before he can access your Switcheo Account.

Multi-layer Verification

You will need to pass multiple layers of security checks before your encrypted mnemonic is revealed to you. Once we reveal the encrypted mnemonic, it is decrypted automatically using the same password, done on the front-end.

Multi-layer Trustless Encryption

The mnemonics stored on Switcheo are encrypted with your password that is key-stretched to a length suitable for encryption purposes. This means even Switcheo cannot access them. This is as even passwords are not sent to Switcheo (a hash of it is used as the actual password for Switcheo’s off-chain authentication).

On top of that, Switcheo has an additional layer of encryption performed through an isolated service that further encrypts this already-encrypted-mnemonic with a strong server-side encryption key before it is stored in our database.

This means that even in the unlikely event that Switcheo’s database is compromised, it would be impossible to gain access to even mnemonics encrypted with weak passwords through brute-force without Switcheo’s strong encryption key.

This entire process is similar to top-tier password managers such as LastPass and 1Password. We ensure that all hashing and encryption algorithms we use (such as bcrypt and triplesec) are appropriate and state-of-the-art.

Isolated Decryption

Once we reveal the encrypted mnemonic to the front-end, it is decrypted using your password, so that your wallet can be unlocked. This decryption is done fully on the front-end web application, without any network communication, protecting your valuable secret keys.