Pages:
Author

Topic: Mtgox's 2 Factor Authentication: Yubikeys - page 2. (Read 6741 times)

legendary
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
What scheme is Mt. Gox using? Are they using Yubikey's verification servers? Do they generate the key and burn it into the token themselves? Or can the user program the token?
vip
Activity: 608
Merit: 501
-
Hey MT, is there a shipping fee for international buyers or is it included in the cost?

The shipping fee is included in the price for any destination. Depending on your country's customs you may have to pay a tax.
legendary
Activity: 1022
Merit: 1001
Hey MT, is there a shipping fee for international buyers or is it included in the cost?
vip
Activity: 608
Merit: 501
-
For information it is now possible to order the yubikeys on mtgox, after logging in.

We are currently evaluating the possibility of selling half-locked keys that would be usable with yubicloud, and with other yubikey-enabled websites, which may be less secure as a rogue site could use your login token to login on mtgox instead of validating it with yubicloud.
newbie
Activity: 8
Merit: 0
A question to you MT - are you using your own key/validationserver?
I've gotten a couple of questions if It's possible to use the same key for both Bit LC and MTGox - and it all depends on if you're using yubicloud or not.

In either way - the MTGox-keys are based upon YubiKey 2.2 if i see correctly - which supports double identities - so it should not be a issue anyway.

Yubico replied to my tweet to Mt. Gox:

Quote
I think MtGox use their own validation server and not the YubiCloud. John.

You can see the tweet here.
member
Activity: 84
Merit: 10
Thanks for the info:

If you have yubikeys enabled on your account, you are greeted with this message AFTER you log in with your username and password.


Will this yubikey be used for login only or to authenticate orders too?

I think only the latter would be safe when doing a BTC withdraw for example on a corrupted PC

sr. member
Activity: 403
Merit: 250
A question to you MT - are you using your own key/validationserver?
I've gotten a couple of questions if It's possible to use the same key for both Bit LC and MTGox - and it all depends on if you're using yubicloud or not.

In either way - the MTGox-keys are based upon YubiKey 2.2 if i see correctly - which supports double identities - so it should not be a issue anyway.
vip
Activity: 608
Merit: 501
-
yes, i installed mine yesterday and it works as you described.  i'll add that Mark said yesterday that Withdrawal will be added shortly.

when you speak of "keys", do u mean the series of letters entered into the OTP box by the Yubikey?  how do you know how many of them there are?  i also noted they're just alpha and was surprised it didn't generate numerics in the password as well.

whats the purpose of the QR code?

i don't understand what you mean by the following.  can u expound on each of them please?:

"1. Keys cannot be used twice
2. If I generate many keys, I can use them all if used in order of generation. If I use the last key generated, all previous keys become invalid.
3. I'm not sure when the keys expire after generation."

The code input is made of letters only, and only some letters to be keymap-independent (this way even if your computer is configured for azerty or qwerty, it'll work fine). The string is in fact hexadecimal (yubico calls this "modhex", modified hexadecimal) and is a 22 bytes string made of 6 fixed bytes, and 16 bytes which are various informations encrypted with AES128.

The auth server has a copy of the 128bits key used on the yubikey, and will try to decrypt the string. It'll then check counters in there and will only accept the code if its counter is higher than the last seen code.

It means:
  • A code cannot be used more than once
  • Only a code more recent than the latest used code can be used
  • A code will not expire in terms of time, but only if a more recent code is used on the site
sr. member
Activity: 403
Merit: 250
Funny! Smiley I actually my self ordered a YubiKey just a couple of days ago - arrived today.
We're implementing it at Bitcoins.lc as we speak.
legendary
Activity: 1764
Merit: 1002
yes, i installed mine yesterday and it works as you described.  i'll add that Mark said yesterday that Withdrawal will be added shortly.

when you speak of "keys", do u mean the series of letters entered into the OTP box by the Yubikey?  how do you know how many of them there are?  i also noted they're just alpha and was surprised it didn't generate numerics in the password as well.

whats the purpose of the QR code?

i don't understand what you mean by the following.  can u expound on each of them please?:

"1. Keys cannot be used twice
2. If I generate many keys, I can use them all if used in order of generation. If I use the last key generated, all previous keys become invalid.
3. I'm not sure when the keys expire after generation."
member
Activity: 112
Merit: 10
Very interesting. Thanks for the post and please keep us informed as you run it through initial tests.
newbie
Activity: 56
Merit: 0
cant wait.. mt gox really is lifting its game
member
Activity: 96
Merit: 10
Hey All,

I just wanted to post some pictures of the Yubikey I got from Mtgox - Mark is currently running a beta test to ~50 people to work out the bugs.



the QR code and serial are obfuscated for security purposes Wink



purchasers will get a nice Mtgox lasered one, I believe.

sorry about the image, my camera is out for repair.



The yubikey is recognized as a USB input device. All I have to do is touch the contact (the glowing part) and it'll enter in a code, and press enter.

If you have yubikeys enabled on your account, you are greeted with this message AFTER you log in with your username and password.


I was able to log in using nothing in the yubikey authentication box until I used the yubikey for the first time. Pressing only enter would kick me back log-in screen (I would have to enter in username and password again)

What I observed:
1. Keys cannot be used twice
2. If I generate many keys, I can use them all if used in order of generation. If I use the last key generated, all previous keys become invalid.
3. I'm not sure when the keys expire after generation.

More to come as I poke around more.

Edit: Oh yeah, Mtgox will be selling them for 29.99 shipped. BTC accepted, of course. Wink
Pages:
Jump to: