I decided to write this post because there is a lot of confusion on how the DEX handles security and what the different models mean.
Let's start this off by mentioning the basics. DEX means Decentralised Exchange.
The key word here is DECENTRALISED. There is no central server performing authentication, no central authority that EVER sees your private keys or your wallet.
Both the reference web wallet and reference wallet application (as well as the various gateway branded versions of them) run LOCALLY on your computer.
The web wallet simply downloads a web application (the reference wallet) from the internet and then runs it locally in your browser.
The wallet (web and standalone) then communicate DIRECTLY with the various API nodes and only SIGNED transactions and operations are sent through the network. The signing itself takes place locally on your computer and keys are NEVER, I repeat NEVER, sent through the network.
Clear enough I think.
Now let's continue.
Wallet model is pretty much the same as any other cryptocurrency wallet (think bitcoin standard client, electrum etc.).
You choose your wallet file from your computer (which contains encrypted keys), unlock it with your password and perform transactions.
A wallet can contain multiple account entries, each with its own set of keys similar to other cryptocurrency wallets.
The main difference is that the Bitshares wallet (web or otherwise) ALSO provides exchange functionality and not just transactions.
The subtle difference is that while in other cryptos there is a 1-1 relation between Private Key and Address, in bitshares there is an "account name" (address) which abstracts this.
In fact, each account name has 3 private key types (all of which can have multiple entries and can be changed):
An active key that has full access over the account (but cannot change the owner key)
An owner key that is the absolute master key
And a memo key that is used to decrypt memos in transfers
When you create an account in Wallet Model, one set of those 3 keys is randomly generated (locally) for that account and is then backed up to your wallet file and encrypted with the password you choose. Hence you need the wallet file in order to gain access to the private keys.
When you create an account in Account Model, the set of those 3 keys is derived from the password you choose through a standard one-way hashing function. This is why an auto-generated very long/complex password is auto-generated for convenience, but it allows you to regenerate those keys on the fly anywhere simply by entering your password. Still, the keys are NEVER stored or transmitted anywhere online.
However since in account model , your password corresponds to one set of keys, you can only use one account at a time.
Seeing as account keys can be changed, you can always set things up so your wallet contains multiple accounts, each of which has a set of keys derived from a password (From the Cloud Wallet tab when you select View Keys for the account in question from Settings -> Accounts). This will allow you to keep a wallet file with all your accounts and their keys encrypted but also allow cloud access for one or more of those accounts by using the seed password)
Once again, the important thing to remember is that there is NO central authority that holds your Private Keys. If you lose your wallet file, lose its password, or lose the seed password (if you're using cloud model keys) , there is NO WAY to get your private keys back.
Since there is no centralised authority, there is no Google Authenticator-type 2FA either.
If you want slightly more piece of mind, you may want to consider a multi-sig account but I'll leave that for part 2.