Pages:
Author

Topic: GLBSE 2.0 open for testing - page 16. (Read 51751 times)

legendary
Activity: 1260
Merit: 1000
April 03, 2012, 09:33:37 AM
Yubikey and Google Auth, while accomplishing the same thing, are different and not mutually exclusive in the sense that each has their advantages.

First and foremost, one could argue Yubikey is a bit more secure than Google Auth.  (But for practical purposes, it's largely irrelevant).  Additionally, Google Auth is not supported on all devices.  Yubikey, also, is not supported on all devices (namely, those devices without a USB port).  Yubikey is more convenient in terms of entering your OTP, less convenient since you have to carry something around in addition to your phone (for Google Auth).

I would vote to add the ability to use one or the other, not just Google Auth.  I use Yubikey in several places and Google Auth in other places, depending on the situation and I find them both useful in their own ways, while neither of them are perfect, sadly.  Now... Google Auth would be awesome if paired with NFC and the computers I use had NFC readers.

REF
hero member
Activity: 529
Merit: 500
April 02, 2012, 07:25:04 PM
Didnt realize we had the ability to revote/change our vote. makes sense thanks for clearing it up. Nice work seems you worked hard all day setting up google auth, havent used it myself before but im excited to try it once its ready. I think its a better option then those long auth and private keys we had for glbse 1.0 just because it was hard for some people to figure it out.
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
April 02, 2012, 06:56:28 PM
Yubikeys are not cheap for the end user, but they are free for you to implement.
And if GLBSE were to implement it, someone with an existing Mt. Gox yubikey could use it as well, right?
No, because Mtgox uses their own authentication server and custom programmed Yubikeys. It theoretically would be possible to liaise with Mtgox and use their auth server, but I doubt that they would allow it. Making it optional would of course be the best way to go.

No Yubikey, I refuse to buy one just to even get started developing, and then make people buy one, there is absolutely no point when a free option is available.

I've already got google auth 1/2 working, a few more hours and it will be done.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
April 02, 2012, 06:36:59 PM
Yubikeys are not cheap for the end user, but they are free for you to implement.
And if GLBSE were to implement it, someone with an existing Mt. Gox yubikey could use it as well, right?
No, because Mtgox uses their own authentication server and custom programmed Yubikeys. It theoretically would be possible to liaise with Mtgox and use their auth server, but I doubt that they would allow it. Making it optional would of course be the best way to go.
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
April 02, 2012, 06:36:07 PM
Yubikeys are not cheap for the end user, but they are free for you to implement.

And if GLBSE were to implement it, someone with an existing Mt. Gox yubikey could use it as well, right?

That approach makes sense if two-factor is an option for the accountholder.   If I'm holding $20 USD worth of stocks I shouldn't be forced to buy a $30 dongle, but if I'm holding a significant amount I have the option to protect my account by requiring two factor auth.

I might end up making my own

Making your own mobile-based OTP token system?   Please tell me that wasn't what you meant to write.  Also please read on NIH:
 - http://en.wikipedia.org/wiki/Not_invented_here


Lol, said that because I didn't know what was available out there.

No I'm integrating Google Auth right now, it's exactly what I was looking for.
legendary
Activity: 924
Merit: 1004
Firstbits: 1pirata
April 02, 2012, 06:32:25 PM
......

I might end up making my own

Making your own mobile-based OTP token system?   Please tell me that wasn't what you meant to write.  Also please read on NIH:
 - http://en.wikipedia.org/wiki/Not_invented_here


anyone using google authencator to do that 2 step auth ?
legendary
Activity: 2506
Merit: 1010
April 02, 2012, 06:24:05 PM
Yubikeys are not cheap for the end user, but they are free for you to implement.

And if GLBSE were to implement it, someone with an existing Mt. Gox yubikey could use it as well, right?

That approach makes sense if two-factor is an option for the accountholder.   If I'm holding $20 USD worth of stocks I shouldn't be forced to buy a $30 dongle, but if I'm holding a significant amount I have the option to protect my account by requiring two factor auth.

I might end up making my own

Making your own mobile-based OTP token system?   Please tell me that wasn't what you meant to write.  Also please read on NIH:
 - http://en.wikipedia.org/wiki/Not_invented_here
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
April 02, 2012, 05:09:10 PM
the vote buttons should go away after you vote on a motion. Right now I have a motion from tygrr-bank and every time I click on it I see buttons to vote yes and no when I click on them Im sent back to my portfolio page. Only the option you picked show stay and it should let you know you voted and not let you click anything.

You are allowed change your vote as much as you like right up until the vote closes. This is why it shows.

REF
hero member
Activity: 529
Merit: 500
April 02, 2012, 05:07:55 PM
the vote buttons should go away after you vote on a motion. Right now I have a motion from tygrr-bank and every time I click on it I see buttons to vote yes and no when I click on them Im sent back to my portfolio page. Only the option you picked show stay and it should let you know you voted and not let you click anything.
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
April 02, 2012, 10:21:01 AM
I'll look into adding one of these systems quite soon, keep in mind that GLBSE has never had any breakins so far (fingers crossed).

antirack, already had a look at DuoSecurity, the free system is limited to 10 users, then $3 a month per user

I might end up making my own as I've been looking to get started building for android for some time, and finally here would be a good reason.

Nefario.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
April 02, 2012, 10:13:10 AM
Yubikeys are not cheap for the end user, but they are free for you to implement. You can either use their free cloud based system, or issue your own keys tied to your own auth server. http://www.yubico.com/developers-intro

Google Authenticator is free on both ends. http://code.google.com/p/google-authenticator/

Other methods of OTP authentication are available, at varying difficulties of implementation.
hero member
Activity: 489
Merit: 500
Immersionist
April 02, 2012, 10:02:18 AM
Not sure if this is still current, but look at this:

http://net.tutsplus.com/tutorials/php/integrating-two-factor-authentication-with-codeigniter/

Lucky for you, Duo Security offers a free two-factor service ideal for anybody looking to protect their website.

Not only is Duo free, but it’s full of features. They let you authenticate in a variety of ways, including:

    Phonecall authentication
    SMS-based tokens
    Mobile app token generator
    Push-based authentication
    Hardware tokens available for purchase
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
April 02, 2012, 09:57:10 AM
I've added captcha's to the login process.

Regarding two factor auth, this is tricky.

Actually it IS something I'd like to implement, however in it's current state it's quite pricey.

I think the only method I can think of would be to have an android app that sends a hash of the users phone number and pin to the server for a verification code or something like that. I need to look into it.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
April 02, 2012, 07:39:44 AM
Keep in mind now that this means that if your email account is compromised, then so will your GLBSE account, and we will bear no responsibility for this.

Is a two-factor authentication method on the roadmap?
+1, I hope so. Yubikeys have a nice and fairly easy to use system going on. Or you can do other options like matrix cards.
legendary
Activity: 2506
Merit: 1010
April 02, 2012, 12:03:00 AM
Keep in mind now that this means that if your email account is compromised, then so will your GLBSE account, and we will bear no responsibility for this.

Is a two-factor authentication method on the roadmap?
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
April 01, 2012, 10:03:39 PM
so i changed my account to 2.0
and now i forgot my password  Shocked

i miss the send me my passwort button  Embarrassed

We now have an account recovery option, beside the login form.

Keep in mind now that this means that if your email account is compromised, then so will your GLBSE account, and we will bear no responsibility for this.

Nefario.
sr. member
Activity: 462
Merit: 250
March 31, 2012, 11:06:53 PM
so i changed my account to 2.0
and now i forgot my password  Shocked

i miss the send me my passwort button  Embarrassed

tl;dr; send Nefario your claim code to verify yourself ; )

OP: well, this is one of the things that are important but not yet there (not urgent)
nefario fixed critical things first, then urgent & important
and things around resetting forgotten passwords via email are simply not yet in the top X todo things.

you won't miss any dividends and your account will wait for you ...
just send him a PM or email (email might be actually better, you know, kind of proof it's you)
disclaimer: i know sender can be spoofed but it's still better than a PM to nefario "hi, I forgot my password, please reply to my pm here with a new password for account registered with email [email protected] or email it to my backup email [email protected]"

let it be a reminder for you to take better care of your passwords and just bear with nefario to get back to you.

@all how could be password reset protected from potential abuse (brute force guessing registered emails and demanding password resend?). I mean, ok, password reset would be automated, email sent to the claimed address would be addressed to the email address registered with an account but I'm shivering with worries how easy it could be fetched and abused.

In my perfect dream world I would have a public key associated with my account and all emails from glbse would arrive encrypted so that the next poor guy w/o password would have to be in possession of the private key as well ... and that's another thing that can be forgotten or lost.

as it is now, you'll be probably asked details about your account (which shares did you own, can you remember approx what your btc balance was and stuff like that, to support your claim).
full member
Activity: 148
Merit: 100
March 31, 2012, 10:38:35 PM
so i changed my account to 2.0
and now i forgot my password  Shocked

i miss the send me my passwort button  Embarrassed
hero member
Activity: 667
Merit: 500
March 31, 2012, 06:31:01 PM


Thanks! Hopefully no one sold because of it..  Actually that brings up a feature request..  Need a "shareholder of record date" function in GLBSE.  This is common practice in the "real" exchanges.

teek


Could you explain this a little more please.

I'm not his spokesperson and reserve the right to be wrong but what I understood is a feature request that would enable to pay dividends to the list of shareholders "as of the date = date entered in the dividend payment form"

so if I pay dividends each Sunday 6 a.m. GMT but I slept a bit longer and missed my committed time, somebody may have sold the shares at 9 a.m. and me a few hours later (lunch time) wants to set things right and would like to pay to shareholders from 6 a.m. moment.

@teek is that right ^^ ?


Yep something like that.  Can be used for all kinds of things.. right now the record date ends up being exactly when the transaction happens as mila pointed out..  That works ok for now too, but say a company is paying out Q2 earnings in August or something like that, they want to pay the holders of record 06/30 etc..  many other reasons..  Record dates will be handy and probably necessary for certain issues, especially when the exchange grows..
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
March 31, 2012, 05:51:09 PM


Thanks! Hopefully no one sold because of it..  Actually that brings up a feature request..  Need a "shareholder of record date" function in GLBSE.  This is common practice in the "real" exchanges.

teek


Could you explain this a little more please.

I'm not his spokesperson and reserve the right to be wrong but what I understood is a feature request that would enable to pay dividends to the list of shareholders "as of the date = date entered in the dividend payment form"

so if I pay dividends each Sunday 6 a.m. GMT but I slept a bit longer and missed my committed time, somebody may have sold the shares at 9 a.m. and me a few hours later (lunch time) wants to set things right and would like to pay to shareholders from 6 a.m. moment.

@teek is that right ^^ ?

Whoa, if this is correct then it's doable, but fairly difficult. Will take some time but I can add it to the list.

Nefario.
Pages:
Jump to: