Topic: GLBSE 2.0 open for testing - page 16. (Read 51741 times)

Yubikey and Google Auth, while accomplishing the same thing, are different and not mutually exclusive in the sense that each has their advantages.

First and foremost, one could argue Yubikey is a bit more secure than Google Auth.  (But for practical purposes, it's largely irrelevant).  Additionally, Google Auth is not supported on all devices.  Yubikey, also, is not supported on all devices (namely, those devices without a USB port).  Yubikey is more convenient in terms of entering your OTP, less convenient since you have to carry something around in addition to your phone (for Google Auth).

I would vote to add the ability to use one or the other, not just Google Auth.  I use Yubikey in several places and Google Auth in other places, depending on the situation and I find them both useful in their own ways, while neither of them are perfect, sadly.  Now... Google Auth would be awesome if paired with NFC and the computers I use had NFC readers.

Didnt realize we had the ability to revote/change our vote. makes sense thanks for clearing it up. Nice work seems you worked hard all day setting up google auth, havent used it myself before but im excited to try it once its ready. I think its a better option then those long auth and private keys we had for glbse 1.0 just because it was hard for some people to figure it out.

No Yubikey, I refuse to buy one just to even get started developing, and then make people buy one, there is absolutely no point when a free option is available.

I've already got google auth 1/2 working, a few more hours and it will be done.

No, because Mtgox uses their own authentication server and custom programmed Yubikeys. It theoretically would be possible to liaise with Mtgox and use their auth server, but I doubt that they would allow it. Making it optional would of course be the best way to go.

Lol, said that because I didn't know what was available out there.

No I'm integrating Google Auth right now, it's exactly what I was looking for.

anyone using google authencator to do that 2 step auth ?

And if GLBSE were to implement it, someone with an existing Mt. Gox yubikey could use it as well, right?

That approach makes sense if two-factor is an option for the accountholder.   If I'm holding $20 USD worth of stocks I shouldn't be forced to buy a $30 dongle, but if I'm holding a significant amount I have the option to protect my account by requiring two factor auth.


Making your own mobile-based OTP token system?   Please tell me that wasn't what you meant to write.  Also please read on NIH:
 - http://en.wikipedia.org/wiki/Not_invented_here

You are allowed change your vote as much as you like right up until the vote closes. This is why it shows.

the vote buttons should go away after you vote on a motion. Right now I have a motion from tygrr-bank and every time I click on it I see buttons to vote yes and no when I click on them Im sent back to my portfolio page. Only the option you picked show stay and it should let you know you voted and not let you click anything.

I'll look into adding one of these systems quite soon, keep in mind that GLBSE has never had any breakins so far (fingers crossed).

antirack, already had a look at DuoSecurity, the free system is limited to 10 users, then $3 a month per user

I might end up making my own as I've been looking to get started building for android for some time, and finally here would be a good reason.

Nefario.

Yubikeys are not cheap for the end user, but they are free for you to implement. You can either use their free cloud based system, or issue your own keys tied to your own auth server. http://www.yubico.com/developers-intro

Google Authenticator is free on both ends. http://code.google.com/p/google-authenticator/

Other methods of OTP authentication are available, at varying difficulties of implementation.

Not sure if this is still current, but look at this:

http://net.tutsplus.com/tutorials/php/integrating-two-factor-authentication-with-codeigniter/

Lucky for you, Duo Security offers a free two-factor service ideal for anybody looking to protect their website.

Not only is Duo free, but it’s full of features. They let you authenticate in a variety of ways, including:

    Phonecall authentication
    SMS-based tokens
    Mobile app token generator
    Push-based authentication
    Hardware tokens available for purchase

I've added captcha's to the login process.

Regarding two factor auth, this is tricky.

Actually it IS something I'd like to implement, however in it's current state it's quite pricey.

I think the only method I can think of would be to have an android app that sends a hash of the users phone number and pin to the server for a verification code or something like that. I need to look into it.

+1, I hope so. Yubikeys have a nice and fairly easy to use system going on. Or you can do other options like matrix cards.

Is a two-factor authentication method on the roadmap?

We now have an account recovery option, beside the login form.

Keep in mind now that this means that if your email account is compromised, then so will your GLBSE account, and we will bear no responsibility for this.

Nefario.

tl;dr; send Nefario your claim code to verify yourself ; )

OP: well, this is one of the things that are important but not yet there (not urgent)
nefario fixed critical things first, then urgent & important
and things around resetting forgotten passwords via email are simply not yet in the top X todo things.

you won't miss any dividends and your account will wait for you ...
just send him a PM or email (email might be actually better, you know, kind of proof it's you)
disclaimer: i know sender can be spoofed but it's still better than a PM to nefario "hi, I forgot my password, please reply to my pm here with a new password for account registered with email [email protected] or email it to my backup email [email protected]"

let it be a reminder for you to take better care of your passwords and just bear with nefario to get back to you.

@all how could be password reset protected from potential abuse (brute force guessing registered emails and demanding password resend?). I mean, ok, password reset would be automated, email sent to the claimed address would be addressed to the email address registered with an account but I'm shivering with worries how easy it could be fetched and abused.

In my perfect dream world I would have a public key associated with my account and all emails from glbse would arrive encrypted so that the next poor guy w/o password would have to be in possession of the private key as well ... and that's another thing that can be forgotten or lost.

as it is now, you'll be probably asked details about your account (which shares did you own, can you remember approx what your btc balance was and stuff like that, to support your claim).

so i changed my account to 2.0
and now i forgot my password 

i miss the send me my passwort button 

Yep something like that.  Can be used for all kinds of things.. right now the record date ends up being exactly when the transaction happens as mila pointed out..  That works ok for now too, but say a company is paying out Q2 earnings in August or something like that, they want to pay the holders of record 06/30 etc..  many other reasons..  Record dates will be handy and probably necessary for certain issues, especially when the exchange grows..

Whoa, if this is correct then it's doable, but fairly difficult. Will take some time but I can add it to the list.

Nefario.