Mt.Gox: now yubikey enabled | Bitcointalksearch.org

MagicalTux

vip

Activity: 608

Merit: 501

-

Quote from: ?? on ??

what's the deal with those of us who already have a standard yubikey and want to use it with mtgox's?

The yubikeys we are providing at this point are locked with both slots reserved for Mt.Gox.

Both slots are blocked and limited to Mt.Gox, however we will offer at some point the ability to unlink a key, which would then allow to retrieve the key's codes.

We will also open the ability to use yubicloud keys for protection.

I would like to provide notice, however, than using the same key on different websites opens a serious security risk if you are not confident on each site's trustworthiness. A site could - for example - show "yubikey compatible" on its page but in fact use the OTP you provide it to identify itself on a different yubicloud-enabled site and do bad things there. This wouldn't be really hard to do, but could be really bad depending on the attacked website.

lebish

newbie

Activity: 36

Merit: 0

Quote from: Littleshop on July 08, 2011, 01:33:17 PM

Does it work on a mac?

Yes, I use it for other projects with my Macs.

hashme

member

Activity: 115

Merit: 10

Quote from: SlipperySlope on July 08, 2011, 02:01:50 PM

I would like it to work with the Mt Gox Trading API.

+1

barbarousrelic

hero member

Activity: 675

Merit: 502

It would be even better if this key could be incorporated with the Bitcoin client itself.

SlipperySlope

hero member

Activity: 686

Merit: 501

Stephen Reed

I would like it to work with the Mt Gox Trading API.

BitcoinCyberStore.com

newbie

Activity: 10

Merit: 0

Quote from: Littleshop on July 08, 2011, 01:33:17 PM

Does it work on a mac?

Yubikey is a USB device that acts like a standard USB keyboard. Should work automatically on any platform.

Littleshop

legendary

Activity: 1386

Merit: 1004

Quote from: MagicalTux on July 07, 2011, 06:55:39 PM

You can now order a yubikey if you have a Mt.Gox account and 29.99 USD or equivalent in bitcoins.

You can just login to Mt.Gox and click on "order a yubikey".

For the past weeks we have been focusing on improving the security on our site, both on our side, and on our users' side.

We have tested various options, and the yubikey was chosen as it is cost-effective and secure. Each time you use it, a 44 characters long code is inputted by your yubikey on your keyboard. This string is in fact the hexadecimal representation of an AES128 encrypted message that allows us to certify you are indeed you.

We will start shipping those today to people who have already ordered, and hve some stocks for the next days. So far it is difficult to know exactly how many people will order, swhich make it difficult to provide an estimate. We will update as we receive more orders on the shipping delays.

When shipped you receive an URL to track your package.

Does it work on a mac?

WakiMiko

newbie

Activity: 59

Merit: 0

From http://www.teaparty.net/technotes/yubikey.html:

Quote

I'll explain this in more detail later, but one nice wrinkle of the v2 yubikeys is that they support two profiles, which I shall refer to as slot-1 and slot-2. In use, these are differentiated by length of touch on the sensor; a quick press generates a token from the slot-1 data, a press of 3-4 seconds generates one from slot-2 data. Their website doesn't make clear, but their tech support confirms, that both slots can be in OTP mode. I intend to use slot-1 myself; I'll keep the AES key secret, and build my own authentication servers. But I intend to upload slot-2's AES key to yubikey, and use the infrastructure they provide when authenticating to the world.

Is it possible to use the 2nd slot for other applications when ordering from MtGox, or will the 2nd slot be disabled? Can I overwrite the MtGox AES key and essentially lock myself out?

kiwiasian

full member

Activity: 168

Merit: 100

Just logged in to my account with Yubikey. So I'm assuming my account has been tied to my key. Is two-factor withdrawal authentication automaticay enabled now?

angelo95

member

Activity: 84

Merit: 10

I have to say kudos to MtGox this time. They were bad on security but this is a proof that they try to improve and I notice that.

BitcoinCyberStore.com

newbie

Activity: 10

Merit: 0

From MTGOX notice:

Quote

Please note that our Yubikey can only be used with Mt.Gox.

From what I understand about Yubikey, there are two modes of operation... OTP mode where the password changes all the time... and "Static" mode where a frozen OTP is output when you press/hold the button.

While I'm sure the OTP mode is "locked into MTGOX", the "static mode" will work for you in other cases, as long as you append the 44 digit "frozen" string with your own easy to remember password. This is pretty close to two-factor authentication.

But for $25, you can get your own yubikey (from yubico) and get the OTP mode for your own use and possibly be able to use the "almost two-factor authentication" at MTGOX.

I've recently ordered 3 of them from Yubico for me and my family.

jacoder

newbie

Activity: 45

Merit: 0

20$? In my order I see zero$, am I lucky?

BitcoinPorn

hero member

Activity: 630

Merit: 500

Posts: 69

Quote

The yubikey is a small USB dongle from Yubico which generates one-time passwords (OTPs) and pretends to be a USB keyboard in order to enter the OTP into the keyboard datastream. I found out about them by chance - I can't remember how - and decided to buy one for experimentation. A major feature is that, having neither a real-time clock nor a display and thus needing no batteries either, they're really rather cheap. Including postage, mine cost less than £20, and you definitely won't get a SecurID dongle for that. Also, all the yubikey back-end software is generally available under GPL or other free licences; the security is your responsibility, not someone else's.

I say "more-secure" not "secure" in the title because it looks as if it'll still be single-factor authentication, as right now not all methods of validating the yubikey OTP support the use of a personal PIN as well. But yubikey authentication is still much better than straight username-password as the dongle is not easily copied, and the OTP data is, well, only usable once.

Not that this is a major issue, but I must confess that another attraction of the yubikey is that, it being lightweight and thin, I can wear it around my neck like a sort of digital dog-tag. Geek marine! Semper pinguis!

http://www.teaparty.net/technotes/yubikey.html

In case I wasn't the only one not fully familiar with this type of product.

terrytibbs

hero member

Activity: 560

Merit: 501

Gah, I see it now!

Now shut up.

Chick

member

Activity: 70

Merit: 10

Quote from: terrytibbs on July 07, 2011, 07:13:16 PM

Where do I order one?

Readers never read...

terrytibbs

hero member

Activity: 560

Merit: 501

Where do I order one?

Chick

member

Activity: 70

Merit: 10

Quote from: MagicalTux on July 07, 2011, 06:55:39 PM

You can now order a yubikey if you have a Mt.Gox account and 29.99 USD or equivalent in bitcoins.

You can just login to Mt.Gox and click on "order a yubikey".

For the past weeks we have been focusing on improving the security on our site, both on our side, and on our users' side.

We have tested various options, and the yubikey was chosen as it is cost-effective and secure. Each time you use it, a 44 characters long code is inputted by your yubikey on your keyboard. This string is in fact the hexadecimal representation of an AES128 encrypted message that allows us to certify you are indeed you.

We will start shipping those today to people who have already ordered, and hve some stocks for the next days. So far it is difficult to know exactly how many people will order, swhich make it difficult to provide an estimate. We will update as we receive more orders on the shipping delays.

When shipped you receive an URL to track your package.

Awesome!

MagicalTux

vip

Activity: 608

Merit: 501

-

You can now order a yubikey if you have a Mt.Gox account and 29.99 USD or equivalent in bitcoins.

You can just login to Mt.Gox and click on "order a yubikey".

For the past weeks we have been focusing on improving the security on our site, both on our side, and on our users' side.

We have tested various options, and the yubikey was chosen as it is cost-effective and secure. Each time you use it, a 44 characters long code is inputted by your yubikey on your keyboard. This string is in fact the hexadecimal representation of an AES128 encrypted message that allows us to certify you are indeed you.

We will start shipping those today to people who have already ordered, and hve some stocks for the next days. So far it is difficult to know exactly how many people will order, swhich make it difficult to provide an estimate. We will update as we receive more orders on the shipping delays.

When shipped you receive an URL to track your package.

Topic: Mt.Gox: now yubikey enabled (Read 4619 times)