is there a way to use 2 factor auth on your bitcoin wallet?
Electrum will have this option soon
Topic: How to use 2-factor auth on mtgox, even without a smartphone (Read 27404 times)
Electrum will have this option soon
Hello,
I've generated an OTP auth on mtgox, and noticed it's not possible to retrieve the qrcode or secret keys once you've set it up. Since I don't want to only keep this on my phone (which could break or be stolen), I generated another OTP. Do you know if it's possible then to delete the first OTP on mtgox, since it's no longer used? In the case I use it by mistake in the future, it won't be properly backed up.
I've generated an OTP auth on mtgox, and noticed it's not possible to retrieve the qrcode or secret keys once you've set it up. Since I don't want to only keep this on my phone (which could break or be stolen), I generated another OTP. Do you know if it's possible then to delete the first OTP on mtgox, since it's no longer used? In the case I use it by mistake in the future, it won't be properly backed up.
really useful post op, should have been on goxes site 
does this work for BTC-e ?
In June, BTC-E added two-factor authentication:
- https://btc-e.com/profile#security/2fa
So yes, any TOTP client such as this browser-based one will work with BTC-E's two-factor auth.
List of exchanges with two-factor authentciation:
- http://bitcoin.stackexchange.com/questions/4113
Great abc - thanks.
I'm surprised that two versions - one on computer offline html and one on phone, are providing different keys and yet they both work.
I'm surprised that two versions - one on computer offline html and one on phone, are providing different keys and yet they both work.
anyone?
retarded question does this work for BTC-e ?
Congratulations and thanks for the well done tutorial.
Cheers!
Cheers!
Does anyone know a good program to do this.
I found http://www.toms-world.org/blog/google_authenticator which lets me use mulitple sites which is really nice, but mtgox wont work. The whole program crashes on me. I tried adding the six equal signs like stated to make it a base 32 or w.e. but it didnt work. Any advice is appreciated.
I found http://www.toms-world.org/blog/google_authenticator which lets me use mulitple sites which is really nice, but mtgox wont work. The whole program crashes on me. I tried adding the six equal signs like stated to make it a base 32 or w.e. but it didnt work. Any advice is appreciated.
I also found that the HTML5 app works in Opera Mobile, so I now have Google Auth on my Nokia (Symbian) phone!
OM is slooow on Symbian. try a J2ME TOTP implementation!
Here's the Python script that I use. It's based on one I found on StackExchange, but adapted to take command-line arguments, and to do the secret padding correctly.
If you give it just one argument it gives you the TOTP code (which most sites use), and if you give it a 2nd argument, it gives you the HOTP code, which isn't time-based. That's the kind that bitfloor used.
Always remember to put a space at the start of your command line when running it so it doesn't get into the bash history file. Alternatively create an alias in your .bashrc file so you can run it without having to type the secret each time (but then of course your secret is in the .bashrc file in plain text).
If you give it just one argument it gives you the TOTP code (which most sites use), and if you give it a 2nd argument, it gives you the HOTP code, which isn't time-based. That's the kind that bitfloor used.
Code:
#!/usr/bin/env python
#
# calculate google authenticator codes
#
# usage:
#
# for Time-based One-time Passwords (TOTP), supply just one argument: the secret
#
# for HMAC-based One-Time Passwords (HOTP), supply two arguments: the secret, and the counter
# the counter should go up by one each time you generate a password
#
import base64, hashlib, hmac, string, struct, sys, time
def get_hotp_token(secret, number):
h = hmac.new(base64.b32decode(secret, True), struct.pack(">Q", number), hashlib.sha1).digest()
o = ord(h[19]) & 15
return (struct.unpack(">I", h[o:o+4])[0] & 0x7fffffff) % 1000000
def get_totp_token(secret):
return get_hotp_token(secret, int(time.time())//30)
def usage():
sys.stderr.write("Usage: %s [ number ]\n")
sys.exit(1)
argc = len(sys.argv)
if argc < 2 or argc > 3:
usage()
secret = sys.argv[1]
secret += '======='[:7-((len(secret)-1)%8)]
if argc < 3:
print "%06d" % (get_totp_token(secret))
else:
number = string.atoi(sys.argv[2])
print "%06d" % (get_hotp_token(secret, number))
#
# calculate google authenticator codes
#
# usage:
#
# for Time-based One-time Passwords (TOTP), supply just one argument: the secret
#
# for HMAC-based One-Time Passwords (HOTP), supply two arguments: the secret, and the counter
# the counter should go up by one each time you generate a password
#
import base64, hashlib, hmac, string, struct, sys, time
def get_hotp_token(secret, number):
h = hmac.new(base64.b32decode(secret, True), struct.pack(">Q", number), hashlib.sha1).digest()
o = ord(h[19]) & 15
return (struct.unpack(">I", h[o:o+4])[0] & 0x7fffffff) % 1000000
def get_totp_token(secret):
return get_hotp_token(secret, int(time.time())//30)
def usage():
sys.stderr.write("Usage: %s
sys.exit(1)
argc = len(sys.argv)
if argc < 2 or argc > 3:
usage()
secret = sys.argv[1]
secret += '======='[:7-((len(secret)-1)%8)]
if argc < 3:
print "%06d" % (get_totp_token(secret))
else:
number = string.atoi(sys.argv[2])
print "%06d" % (get_hotp_token(secret, number))
Always remember to put a space at the start of your command line when running it so it doesn't get into the bash history file. Alternatively create an alias in your .bashrc file so you can run it without having to type the secret each time (but then of course your secret is in the .bashrc file in plain text).
In case anyone didn't know, the Google authenticator is not limited to Android, iOS and BlackBerry devices there are a few unofficial google authenticators that will work on Symbian devices (e.g. a lot of Nokia's older phones), I'm using this one: https://code.google.com/p/lwuitgauthj2me/ on my 5800XM.
Thanks for the tip
I would just add: keep the key in a safe place e.g. on a separate memory stick.
What you can do is copy the "secret" that is shown (it's just a string), or print out the QR code, so you have a backup of it so that you can re-load the code to a new device if you happen to lose your existing device. Since you can't re-display the secret you are already using, you'ld need to remove OTP then re-add it and save a copy of the new secret code.
Thanks for the tip
I would just add: keep the key in a safe place e.g. on a separate memory stick.
bump for a valuable thread that could save people a lot of hassle and money.
Thanks for the help with this and I use it on Gox, Bistamp and CampBX now..can't hurt to have that added layer of security
Mtgox gave this thread link when i asked about 2FA.
But they didn't told anywhere what will do to login if phone lost.
Thanks Stephen Gornick for good trick/idea.
But they didn't told anywhere what will do to login if phone lost.
Thanks Stephen Gornick for good trick/idea.
I just implemented 2-factor authentication in gox and a few pools. What happens if I lose the device with my google authenticator on it?
Each E-Wallet vendor may have differing practices.
With Mt. Gox, I believe you need to re-verify your identity (sending in a new copy of your ID). They might ask some questions, like how much was your balance, the amount of your last deposit, etc.
Google has a method to move the Google auth OTP stuff from one phone to the next, but I'm not sure if that helps with lost phones.
What you can do is copy the "secret" that is shown (it's just a string), or print out the QR code, so you have a backup of it so that you can re-load the code to a new device if you happen to lose your existing device. Since you can't re-display the secret you are already using, you'ld need to remove OTP then re-add it and save a copy of the new secret code.
I just implemented 2-factor authentication in gox and a few pools. What happens if I lose the device with my google authenticator on it?
Hello,
Newbie here asking for help setting up 2 factor auth on mtgox using a smartphone. A kind soul is kindly asked to help. The present state:
1. I have an account at Mtgox and want to add Google Authentication service in Mtgox in Security Systems.
2. I bought an Android phone yesterday.
3. I downloaded Google Authenticator into my phone and get the following sentences / commands on the phone after starting this app:
First screen
With 2-step verification , whenever you sign in to your Google Account you will need:
1. Your password (non-clickable)
2. A code that this app will generate for you (non-clickable)
Begin setup (clickable command which I click and arrive at):
Second screen that shows:
Add an account (non-clickable):
___________________
Manually add an account (non-clickable)
Scan a barcode (clickable; Q1: Is barcode reading app built-in Google Authenticator so that I do not need to download any other additional application?)
Enter provided key (clickable; Q2: Should I type Mtgosx's ''Auth Name'' or ''Standard Private Key'' or ''Secure Private Key''?)
Q3: Are ''scan barcode'' and ''add an account'' interchangable, meaning that performing any of the two will result in a success or do I need to both scan the barcode and enter the key?
_______________________
Available Google accounts (non-clickable)
[email protected] (clickable; Q4: is it advisable to create a new Google Account or is it okay if I use the existing one?)
Q5: Do I need to reveal my Google Account or this option is only for Gmail?
Thank you.
Newbie here asking for help setting up 2 factor auth on mtgox using a smartphone. A kind soul is kindly asked to help. The present state:
1. I have an account at Mtgox and want to add Google Authentication service in Mtgox in Security Systems.
2. I bought an Android phone yesterday.
3. I downloaded Google Authenticator into my phone and get the following sentences / commands on the phone after starting this app:
First screen
With 2-step verification , whenever you sign in to your Google Account you will need:
1. Your password (non-clickable)
2. A code that this app will generate for you (non-clickable)
Begin setup (clickable command which I click and arrive at):
Second screen that shows:
Add an account (non-clickable):
___________________
Manually add an account (non-clickable)
Scan a barcode (clickable; Q1: Is barcode reading app built-in Google Authenticator so that I do not need to download any other additional application?)
Enter provided key (clickable; Q2: Should I type Mtgosx's ''Auth Name'' or ''Standard Private Key'' or ''Secure Private Key''?)
Q3: Are ''scan barcode'' and ''add an account'' interchangable, meaning that performing any of the two will result in a success or do I need to both scan the barcode and enter the key?
_______________________
Available Google accounts (non-clickable)
[email protected] (clickable; Q4: is it advisable to create a new Google Account or is it okay if I use the existing one?)
Q5: Do I need to reveal my Google Account or this option is only for Gmail?
Thank you.
Or use the google authenticator app on an offline computer.
the clock on an offline computer will vary over time, which will make your otp give a bad result. update the time manually if the otp is gives doesn't work.
ok cool guess its safe then, thanks
https://github.com/gbraad?tab=activity
The guy who owns that github account last signed in 10 days ago, it's fine.
The guy who owns that github account last signed in 10 days ago, it's fine.
can someone confirm its safe to download the file given in this tutorial from the site github because i dont know github & OP has not signed in since march - no offense just a newbie donk
[/quote]
Wrong time zone on the offline computer?
[/quote]
I guess that mini xp don't have time zone setup!
I'll check it again today!
I done 2fa setup for bitcoincentral with same online comp and intend similar for mtgox until yubikey arrive.
Or use the google authenticator app on an offline computer.
the clock on an offline computer will vary over time, which will make your otp give a bad result. update the time manually if the otp is gives doesn't work.
I tried to set 2fa on mtgox use this method via offlline computer (mini winxp on hirens boot usb) and get wrong otp. I had set time and date same in second and get different otps. Online (same comp as mtgox session) generated otp well matched.
any advice, what is going wrong? thanks in advance!
Or use the google authenticator app on an offline computer.
the clock on an offline computer will vary over time, which will make your otp give a bad result. update the time manually if the otp is gives doesn't work.
I tried to set 2fa on mtgox use this method via offlline computer (mini winxp on hirens boot usb) and get wrong otp. I had set time and date same in second and get different otps. Online (same comp as mtgox session) generated otp well matched.
any advice, what is going wrong? thanks in advance!
This is most likely the clock creep issue. The OTP only lasts for 30 seconds, so if the clock is wrong it will not be calculated for the correct time as observed by Mt. Gox. The best solution is to use a system connected to a time (NTP) server, otherwise you'll have to update the clock manually.
Or use the google authenticator app on an offline computer.
the clock on an offline computer will vary over time, which will make your otp give a bad result. update the time manually if the otp is gives doesn't work.
I tried to set 2fa on mtgox use this method via offlline computer (mini winxp on hirens boot usb) and get wrong otp. I had set time and date same in second and get different otps. Online (same comp as mtgox session) generated otp well matched.
any advice, what is going wrong? thanks in advance!
and a Gox yubikey is only $29 last time I checked.
They sent me one for free, it is really I nice piece of hardware.
short press and long press. So you have built in additional press to withdraw
They sent me one for free, it is really I nice piece of hardware.
short press and long press. So you have built in additional press to withdraw
Two-factor provides security when every withdrawal or security change (e.g., change password, e-mail address, remove two-factor, etc.) action will require a new OTP to be entered.
This is addressed in this thread:
A plea to exchanges ... lets do 2 factor right!
- https://bitcointalksearch.org/topic/a-plea-to-exchanges-lets-do-2-factor-right-109424
If your exchange or EWallet provider claims to have two-factor but doesn't do two-factor right, let them know otherwise they'll continue thinking they are protecting their customers which can be even worse, due to having a false sense of security ("oh ya, I have two factor -- I'm safe storing even larger amounts there now!").
Here's a list of EWallets where two-factor is offered:
- http://bitcoin.stackexchange.com/a/4114/153
This is addressed in this thread:
A plea to exchanges ... lets do 2 factor right!
- https://bitcointalksearch.org/topic/a-plea-to-exchanges-lets-do-2-factor-right-109424
If your exchange or EWallet provider claims to have two-factor but doesn't do two-factor right, let them know otherwise they'll continue thinking they are protecting their customers which can be even worse, due to having a false sense of security ("oh ya, I have two factor -- I'm safe storing even larger amounts there now!").
Here's a list of EWallets where two-factor is offered:
- http://bitcoin.stackexchange.com/a/4114/153
September 25, 2012, 11:40:31 AM
Excellent tutorial, and well written. We should see more like this!
September 25, 2012, 03:34:41 AM
As an alternative to deleting the entry (on computers rather than phones) when you're done, just store the entire GAuth directory on an encrypted volume (e.g. TrueCrypt) and only mount it when you need it.
That's a good idea, but it won't work. The GAuth page/app uses html5 localStorage, so the entry/"secret key" gets saved to the browser's data/cache folder, not to the folder with the GAuth html and javascript files.
You could edit the GAuth javascript file and replace the hardcoded example [email protected]. Then it would be contained in the Gauth folder.
Ah well, the Python script will be good enough for me. Which takes care of that problem.
September 25, 2012, 03:30:49 AM
btw, if you use that python script, you have to add padding to the "secure private key" mtgox provides (other google auth apps will accept the secret key without padding). So "RPAAJZCGOW7NSAAJCFRCCHIN44" with base32 padding becomes "RPAAJZCGOW7NSAAJCFRCCHIN44======".
Code:
>>> import hmac, base64, struct, hashlib, time
>>> import onetimepass as otp
>>> my_secret = "RPAAJZCGOW7NSAAJCFRCCHIN44======"
>>> otp.get_totp(my_secret)
956735
Yep, that works. Is there a way to report the number of seconds the OTP is valid for? I can only see the check for whether it's true or false (and invoking that in the same script will always return true).
September 24, 2012, 05:04:30 PM
As an alternative to deleting the entry (on computers rather than phones) when you're done, just store the entire GAuth directory on an encrypted volume (e.g. TrueCrypt) and only mount it when you need it.
That's a good idea, but it won't work. The GAuth page/app uses html5 localStorage, so the entry/"secret key" gets saved to the browser's data/cache folder, not to the folder with the GAuth html and javascript files.
You could edit the GAuth javascript file and replace the hardcoded example [email protected]. Then it would be contained in the Gauth folder.
September 24, 2012, 04:46:13 PM
As an alternative to deleting the entry (on computers rather than phones) when you're done, just store the entire GAuth directory on an encrypted volume (e.g. TrueCrypt) and only mount it when you need it.
September 23, 2012, 02:31:00 PM
NIce work on the tut very handy ifor! I will throw some your way aswell soon thanks!
Very cool, thanks for the guide. Put up a donation address and I will send you a few bitcents for your trouble. 
I also found that the HTML5 app works in Opera Mobile, so I now have Google Auth on my Nokia (Symbian) phone!
I also found that the HTML5 app works in Opera Mobile, so I now have Google Auth on my Nokia (Symbian) phone!
You're very welcome. tip jar: 1DUCK7StixdPxMCia8qgqQ6zoaGRdGRnqU
Very cool, thanks for the guide. Put up a donation address and I will send you a few bitcents for your trouble.
I also found that the HTML5 app works in Opera Mobile, so I now have Google Auth on my Nokia (Symbian) phone!
I also found that the HTML5 app works in Opera Mobile, so I now have Google Auth on my Nokia (Symbian) phone!
Is it that if you have no phone you have to get a yubikey instead?
if you have no phone, you can use the html5 app.And if you don't have a graphical front-end at all (text-only terminal console), there is a python script on github that does the hmac hash calculation for you.
h
btw, if you use that python script, you have to add padding to the "secure private key" mtgox provides (other google auth apps will accept the secret key without padding). So "RPAAJZCGOW7NSAAJCFRCCHIN44" with base32 padding becomes "RPAAJZCGOW7NSAAJCFRCCHIN44======".
Code:
>>> import hmac, base64, struct, hashlib, time
>>> import onetimepass as otp
>>> my_secret = "RPAAJZCGOW7NSAAJCFRCCHIN44======"
>>> otp.get_totp(my_secret)
956735
is there a way to use 2 factor auth on your bitcoin wallet?
Is it that if you have no phone you have to get a yubikey instead?
if you have no phone, you can use the html5 app.And if you don't have a graphical front-end at all (text-only terminal console), there is a python script on github that does the hmac hash calculation for you.
h
This seems to assume you have a phone? Yet subject/title said even without one?
Is it that if you have no phone you have to get a yubikey instead?
-MarkM-
Is it that if you have no phone you have to get a yubikey instead?
-MarkM-
This
This type of professional documentation for account security should have been developed by all the high profile Bitcoin sites that use Google 2FA.
It's a statement about their professionalism that they don't take the time to do this.
Or use the google authenticator app on an offline computer.
the clock on an offline computer will vary over time, which will make your otp give a bad result. update the time manually if the otp is gives doesn't work.
So, bitcoins are now probably the most wanted target of hackers and trojan-botnet operators in search of easy profit. They are the most easily monetized score of digital theft, valued at face in BTC while credit card numbers are sold for pennies on the dollar.
Every time you download programs, or re-install windows using that iso you got a from a torrent, chances are ever greater that there is a trojan/virus. The chances are also good that it will go Fully UnDetected by most, if not all, Anti-Virus programs (botnet operators use a "FUD crypter" for this). If so, your mtgox password will be captured and added to the botnet database of login/password form submissions.
Then dude takes your mtgox funds.
A lot of that going on.
"MtGox account got cleared out"
- https://bitcointalksearch.org/topic/mtgox-account-got-cleared-out-85533
"All BTC disappeared from my Mt. Gox account"
- https://bitcointalksearch.org/topic/all-btc-disappeared-from-my-mt-gox-account-88368
Another:
- https://bitcointalksearch.org/topic/m.941759
And another:
"My mtgox account got compromised, what can I do?"
- https://bitcointalksearch.org/topic/my-mtgox-account-got-compromised-what-can-i-do-84585
And on other services as well. Here same thing happened to some GLBSE users:
- https://bitcointalksearch.org/topic/i-suspect-gpumax-was-compromised-and-passwords-stolen-84893
In none of these was the person using multi-factor authentication. Mt. Gox has had Yubikey support for a while. Mt. Gox accounts now support Google Authenticator:
- https://mtgox.com/press_release_20120605.html
But not you! Because you used 2-factor auth for withdrawals and dude only has your mtgox password, not your OTP private key.
Step 1:
Go to your mtgox security center and click "ADD NEW" under software authenticators.
Take a screenshot of this window, print it out, and lock it in a safe. Or copy/paste the secure private key and save it encrypted to a USB and lock that in a safe. Write it on a post-it, memorize it and then eat the post-it. Whatever you do, keep it secret but don't lose it.
Step 2:
If you have an android phone, install the google authenticator app for android. If you have an iOS device (iPod touch, iPad, iPhone), install the iOS app.
If you have neither, you can use this html5 google authenticator app. Download the zip file, extract it and open the index.html in your browser.
Now click the plus sign and add your secure private key. You are only running a local html5 app, so your secure private key is not being shared with anyone. You can even do this on an offline computer; you don't have to be online to use your secure private key to generate a one-time-passcode.
Step 3:
Use your generated one-time-passcode in the mtgox security center.
This passcode changes every 30 seconds. That's how long you have to type it into mtgox and "save" your new 2-factor auth system.
Step 4:
Add your new 2-factor method to "Withdrawal" to protect withdrawals.
Step 5:
Also add it to "Security Center". Otherwise, anyone with your login password can simply go to security center and remove your 2-factor auth protection.
Now a one-time-passcode is needed to remove 2-factor from withdrawals.
Step 6:
Your withdrawals are now protected.
CAVEAT on using the google authenticator html5 app:
Obviously, if you use your 2-factor "secure private key" on the same computer, it can be stolen along with the password. So pray that dude's trojan doesn't keylog everything, just login form passwords to sites like mtgox. Or use the google authenticator app on an offline computer. If you're ultra-paranoid, remember that your secure private key could be captured at set-up time when done on an insecure computer.
Also, the html5 app saves the secure private key to html5 localStorage, so click the (x) after use to remove it. Or clear it from the browser's cache/localStorage.
Every time you download programs, or re-install windows using that iso you got a from a torrent, chances are ever greater that there is a trojan/virus. The chances are also good that it will go Fully UnDetected by most, if not all, Anti-Virus programs (botnet operators use a "FUD crypter" for this). If so, your mtgox password will be captured and added to the botnet database of login/password form submissions.
Then dude takes your mtgox funds.
I lost roughly 2000 USD from my MT.Gox account at 08:40 JST on the 31th of may 2012.
A lot of that going on.
"MtGox account got cleared out"
- https://bitcointalksearch.org/topic/mtgox-account-got-cleared-out-85533
"All BTC disappeared from my Mt. Gox account"
- https://bitcointalksearch.org/topic/all-btc-disappeared-from-my-mt-gox-account-88368
Another:
- https://bitcointalksearch.org/topic/m.941759
And another:
"My mtgox account got compromised, what can I do?"
- https://bitcointalksearch.org/topic/my-mtgox-account-got-compromised-what-can-i-do-84585
And on other services as well. Here same thing happened to some GLBSE users:
- https://bitcointalksearch.org/topic/i-suspect-gpumax-was-compromised-and-passwords-stolen-84893
In none of these was the person using multi-factor authentication. Mt. Gox has had Yubikey support for a while. Mt. Gox accounts now support Google Authenticator:
- https://mtgox.com/press_release_20120605.html
But not you! Because you used 2-factor auth for withdrawals and dude only has your mtgox password, not your OTP private key.
Step 1:
Go to your mtgox security center and click "ADD NEW" under software authenticators.
Take a screenshot of this window, print it out, and lock it in a safe. Or copy/paste the secure private key and save it encrypted to a USB and lock that in a safe. Write it on a post-it, memorize it and then eat the post-it. Whatever you do, keep it secret but don't lose it.
Step 2:
If you have an android phone, install the google authenticator app for android. If you have an iOS device (iPod touch, iPad, iPhone), install the iOS app.
If you have neither, you can use this html5 google authenticator app. Download the zip file, extract it and open the index.html in your browser.
Now click the plus sign and add your secure private key. You are only running a local html5 app, so your secure private key is not being shared with anyone. You can even do this on an offline computer; you don't have to be online to use your secure private key to generate a one-time-passcode.
Step 3:
Use your generated one-time-passcode in the mtgox security center.
This passcode changes every 30 seconds. That's how long you have to type it into mtgox and "save" your new 2-factor auth system.
Step 4:
Add your new 2-factor method to "Withdrawal" to protect withdrawals.
Step 5:
Also add it to "Security Center". Otherwise, anyone with your login password can simply go to security center and remove your 2-factor auth protection.
Now a one-time-passcode is needed to remove 2-factor from withdrawals.
Step 6:
Your withdrawals are now protected.
CAVEAT on using the google authenticator html5 app:
Obviously, if you use your 2-factor "secure private key" on the same computer, it can be stolen along with the password. So pray that dude's trojan doesn't keylog everything, just login form passwords to sites like mtgox. Or use the google authenticator app on an offline computer. If you're ultra-paranoid, remember that your secure private key could be captured at set-up time when done on an insecure computer.
Also, the html5 app saves the secure private key to html5 localStorage, so click the (x) after use to remove it. Or clear it from the browser's cache/localStorage.
Jump to: