Author

Topic: 2-Factor Authentication on BTC-e - Confused (Read 3775 times)

full member
Activity: 219
Merit: 100
August 14, 2014, 03:19:56 AM
#11
take a ticket on BTC-e support will help you
member
Activity: 66
Merit: 10
Does anyone know where you actually enter the seed code on google 2fa?
sr. member
Activity: 1097
Merit: 310
Seabet.io | Crypto-Casino
February 04, 2014, 12:55:53 AM
#9
These two pieces of data are combined and hashed in a specific way to yield a 6 digit number that you use to log in. There is no challenge from BTC-e. When you log in, instead of just entering your email and password, you also have to enter the 6 digit number that changes every 30 seconds.

Does that mean that my workstation and the BTCe server's clocks need to be within 30 seconds of each other ? Surely BTC-e must "calculate" the correct response it expects from me and if the 2 clocks are out (my terminal and the web server) then the keys won't match. Have I missed something here ?

(By the way thanks very much for your patience and informative responses so far - much appreciated. I actually almost understand it now !  Cheesy )


Don't worry there is some overlapping time lag. In those time window, both codes are valid. Why don't you try?
legendary
Activity: 3066
Merit: 1188
February 03, 2014, 07:33:00 PM
#8
These two pieces of data are combined and hashed in a specific way to yield a 6 digit number that you use to log in. There is no challenge from BTC-e. When you log in, instead of just entering your email and password, you also have to enter the 6 digit number that changes every 30 seconds.

Does that mean that my workstation and the BTCe server's clocks need to be within 30 seconds of each other ? Surely BTC-e must "calculate" the correct response it expects from me and if the 2 clocks are out (my terminal and the web server) then the keys won't match. Have I missed something here ?

(By the way thanks very much for your patience and informative responses so far - much appreciated. I actually almost understand it now !  Cheesy )
hero member
Activity: 728
Merit: 500
February 01, 2014, 06:42:30 PM
#7
Ah, so I had it the wrong way around. It's the BTC-e site that gives you the "seed" key for the authenticator. Is that right ?
Yes.

Quote
I then need to screenshot this "seed key" so that if I loose my device I can set it up on another one.
Correct. Many people forget this step and have difficulties getting access to their account back when they lose their phone or whatever. I have taken the habit to print the page that shows the secret key and then scan the QR code with my smartphone from the print.

Quote
Then I stick that in the authenticator and it replies with another code which I feed back to BTCe (in the same window that it gave me the "seed key"). That tells BTCe that I set the device up correctly. If I set it up wrong, then BTCe will see that the "response" didn't match the "seed key" it gave me.
Yes.

Quote
Is that the end of the configuration phase ? Are we onto "use" phase after that ?...
Yes.

Quote
Then BTCe gives me a challenge key at each log in - I need to enter that in the authenticator (not any old authenticator, but the one I originally configured with BTCe's "seed" key). The authenticator will give me a response which I then enter in the BTCe loggin.
No, the code you enter to log in is calculated using only 2 bits of information:
- the secret key you entered in the configuration phase.
- the current time (in blocks of 30 seconds).

These two pieces of data are combined and hashed in a specific way to yield a 6 digit number that you use to log in. There is no challenge from BTC-e. When you log in, instead of just entering your email and password, you also have to enter the 6 digit number that changes every 30 seconds.
legendary
Activity: 3066
Merit: 1188
February 01, 2014, 06:15:02 PM
#6
Ah, so I had it the wrong way around. It's the BTC-e site that gives you the "seed" key for the authenticator. Is that right ?

I then need to screenshot this "seed key" so that if I loose my device I can set it up on another one.

Then I stick that in the authenticator and it replies with another code which I feed back to BTCe (in the same window that it gave me the "seed key"). That tells BTCe that I set the device up correctly. If I set it up wrong, then BTCe will see that the "response" didn't match the "seed key" it gave me.

Is that the end of the configuration phase ? Are we onto "use" phase after that ?...

Then BTCe gives me a challenge key at each log in - I need to enter that in the authenticator (not any old authenticator, but the one I originally configured with BTCe's "seed" key). The authenticator will give me a response which I then enter in the BTCe loggin.

Is that it ?

If so, I feel a bit better about the fact that if I have the "seed key" I'm still ok even if I loose the device.
hero member
Activity: 728
Merit: 500
February 01, 2014, 05:47:36 PM
#5
I'm not sure for desktop app but general flow is like this,

[1] - log into BTC-e. Go to "Security" and say I want to set up 2FA. BTC-E will show you the key to generate on-time password for google authenticator.
[2] - Put the key you obtained in [1] into the authenticator
[3] - on future logins, BTC-e will give me a challenge key and ask for a response. I enter BTCe's challenge key in the authenticator app and it gives me the correct response
[4] - I enter the response from the authenticator app into BTC-e and get access

Not quite correct...

[1] - Log into BTC-e, go to the 2FA page. The page will show a key (both a string of characters and a QR code).
[2] - Put this key into the authenticator-app (scan the QR code or copy/paste the character-string).
[3] - The authenticator-app will now generate a new code every 30 seconds. This code depends on the secret key you entered in step 2 and the current time.
[4] - Fill in the code to finish adding the authenticator. This step ensures that you have it set up correctly. It will only add the 2FA method if you fill in the correct code.
[5] - Every time you log in, open the app and type the code into the box on the login screen.

Make sure that your device has its clock properly synced, as the code depends on the current time of the device. Additionally, make a backup of the secret key that was presented to you when you first set up 2FA. If you lose access to your device, you can use this backup to restore your 2FA on another device.
sr. member
Activity: 1097
Merit: 310
Seabet.io | Crypto-Casino
February 01, 2014, 04:08:20 PM
#4

Thanks. I think I can get an authenticator app that runs on a desktop. If I were to be able to do that, would the procedure then be as follows ?

[1] - generate a one-time key from the authenticator app

[2] - log into BTC-e. Go to "Security" and say I want to set up 2FA. BTC-e will ask me for the one-time password and I will enter the one generated by the authenticator app. That kind of "syncs" BTC-e's challenge engine with my authenticator app's response stream or something

[3] - on future logins, BTC-e will give me a challenge key and ask for a response. I enter BTCe's challenge key in the authenticator app and it gives me the correct response

[4] - I enter the response from the authenticator app into BTC-e and get access

Is that it ?


I'm not sure for desktop app but general flow is like this,

[1] - log into BTC-e. Go to "Security" and say I want to set up 2FA. BTC-E will show you the key to generate on-time password for google authenticator.
[2] - Put the key you obtained in [1] into the authenticator
[3] - on future logins, BTC-e will give me a challenge key and ask for a response. I enter BTCe's challenge key in the authenticator app and it gives me the correct response
[4] - I enter the response from the authenticator app into BTC-e and get access

That's it.


legendary
Activity: 3066
Merit: 1188
February 01, 2014, 02:35:05 PM
#3
I suppose btc-e doesn't provide SMS 2FA, though it might be wrong. The code is generated by the google authenticator app but nothing related to SIM card or phone number or google account. That's a hash from the code you took from btc-e initially and time. As for the test, yes once you lost the key stored in the app and the initial one, you need to ask btc-e to reset, which would let you wait for long time. However overall, it is better than being compromised. A big issue for you is is they support SMS rather than google app. I'm not sure they have desktop version of authenticator.

Thanks. I think I can get an authenticator app that runs on a desktop. If I were to be able to do that, would the procedure then be as follows ?

[1] - generate a one-time key from the authenticator app

[2] - log into BTC-e. Go to "Security" and say I want to set up 2FA. BTC-e will ask me for the one-time password and I will enter the one generated by the authenticator app. That kind of "syncs" BTC-e's challenge engine with my authenticator app's response stream or something

[3] - on future logins, BTC-e will give me a challenge key and ask for a response. I enter BTCe's challenge key in the authenticator app and it gives me the correct response

[4] - I enter the response from the authenticator app into BTC-e and get access

Is that it ?
sr. member
Activity: 1097
Merit: 310
Seabet.io | Crypto-Casino
February 01, 2014, 11:49:07 AM
#2
I don't have a smart phone so I'd be using the SMS option.

For a start, I can't even work out if BTC-e 2fa is somehow linked to Google account 2fa. There are so many references to Google with regard to 2fa that I can't decide if I should get the one time password from my google account or if I just generate it with a phone app (or in my case some kind of desktop app). If the latter is the case, how does BTC-e know which phone number to send the codes to ? If the former is the case, there are about 2 or 3 places you can generate "application specific codes" in your Google account.

Another problem is, there's no way to test it. If you do something wrong your locked out of your account. You absolutely have to know what you're doing. Also, I travel a lot and change sim cards all the time. If I loose a sim card I'm screwed and need to be sure of getting the same number from the phone company.

I suppose btc-e doesn't provide SMS 2FA, though it might be wrong. The code is generated by the google authenticator app but nothing related to SIM card or phone number or google account. That's a hash from the code you took from btc-e initially and time. As for the test, yes once you lost the key stored in the app and the initial one, you need to ask btc-e to reset, which would let you wait for long time. However overall, it is better than being compromised. A big issue for you is is they support SMS rather than google app. I'm not sure they have desktop version of authenticator.


legendary
Activity: 3066
Merit: 1188
February 01, 2014, 07:19:28 AM
#1
Hi

I'd like to set up 2 factor authentication on BTC-e, but I just can't get my head around it.

Believe it or not I am a software developer and I really find 2fa so ambigious to follow. Although I agree it massively increases security, I think it's one of the crappest implimentations ever invented and incredibly poorly documented. I'm not surprised few people use it.

I'm more worried about locking myself out of my account than getting it hacked.

I don't have a smart phone so I'd be using the SMS option.

For a start, I can't even work out if BTC-e 2fa is somehow linked to Google account 2fa. There are so many references to Google with regard to 2fa that I can't decide if I should get the one time password from my google account or if I just generate it with a phone app (or in my case some kind of desktop app). If the latter is the case, how does BTC-e know which phone number to send the codes to ? If the former is the case, there are about 2 or 3 places you can generate "application specific codes" in your Google account.

Another problem is, there's no way to test it. If you do something wrong your locked out of your account. You absolutely have to know what you're doing. Also, I travel a lot and change sim cards all the time. If I loose a sim card I'm screwed and need to be sure of getting the same number from the phone company.

I must say I really hate 2fa because it makes you so dependent on phones and stuff. I prefer just to have a strong password and only keep a small trading balance on the exchange for any length of time.

If anyone cares to clear some of the confusion up for me I'd appreciate it.


Jump to: