Topic: What is best security method for MtGox? YubiKey or Software Authenticator? (Read 1054 times)
April 24, 2013, 01:29:32 AM
This sounds great and I've got to try it. It scares me when I read these threads about people losing their money on these BTC websites like Mt Gox. They aren't regulated of course so just extra dangerous compared to a regular US bank. of course the returns are better but so is the risk.
April 24, 2013, 01:25:56 AM
Yes it is an open standand.
https://tools.ietf.org/html/rfc6238
Google Authenticator is just one (possibly the best known) implementation of RFC6238.
There are numerous libraries available.
Essentially it is just a HMAC hash of a seed and current time. No communication between server and the "token" is necessary. The site (say MtGox) generates a random seed value and displays it as a QR code (or it could display it numerically). The TOTP software is loaded with the seed. Now both the site and TOTP device will generate the same code as long as they are using the same time. When you enter TOTP value the site will lookup your seed (which is stored securely) and genrate the TOTP and compare it to what you provided.
https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
https://tools.ietf.org/html/rfc6238
Google Authenticator is just one (possibly the best known) implementation of RFC6238.
There are numerous libraries available.
Essentially it is just a HMAC hash of a seed and current time. No communication between server and the "token" is necessary. The site (say MtGox) generates a random seed value and displays it as a QR code (or it could display it numerically). The TOTP software is loaded with the seed. Now both the site and TOTP device will generate the same code as long as they are using the same time. When you enter TOTP value the site will lookup your seed (which is stored securely) and genrate the TOTP and compare it to what you provided.
https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
April 24, 2013, 12:51:49 AM
That makes sense. I have an android phone that only works with wifi but it should work. I'm going to try it tonight.
That should work fine. Once you install the app you don't even need wifi. I have an old smartphone I leave on my desk (password protected) to acts as a "token" for about a dozen websites that use 2FA. Install the google authenticator app. Enable it on MtGox. MtGox will display a 2D barcode. In Google authenticator app click menu button (upper right) > Add new site > Scan barcode. Use phone's camera to scan the barcode. You are all set. BTW most sites use 2FA in TOTP mode (time based one time password) mode. So make sure the time on your smartphone is relatively accurate.
April 23, 2013, 11:36:55 PM
I don't have a smart phone but I see there may be something similar for windows or for html. Maybe I will have to go with that. I need to get a smartphone but haven't had time to figure that out.
Understand though that 2FA means TWO FACTORS. that is two independent systems that to compromise the account BOTH need to be compromised simultaneously. Having your authenticator on the same computer you login would be like getting two locks for your front door and putting both keys side by side under the mat.
a) get google authenticator on a smartphone
b) get a yubikey
c) have your account compromised and lose potentially tens of thousands of dollars
That makes sense. I have an android phone that only works with wifi but it should work. I'm going to try it tonight.
April 23, 2013, 11:11:52 PM
Depends on the attack vector that the attacker is using. I mean it isn't 2FA. MtGox could just offer a second password used only for withdrawals, it would be just as (in)secure. If the attacker doesn't gain access to the 2nd password your safe, and if they do you lose, not really any different than having a code generator on the potentially compromised computer system.
Do 2FA correctly or don't. Advocate less and eventually someone is going to get burned. 0-day java exploits, bitcoin specific malware, etc. Too much to lose, too difficulty to get it back. So many people want to spend hundreds of hours after the fact playing internet detective (usually with a 0.00% recovery) when a cheap 2FA done properly would prevent them from ever losing anything to begin with.
We shouldn't be advocating for noobs (especially ones who may not fully understand the reduced security) to half-ass security and then wonder why they get robbed.
Do 2FA correctly or don't. Advocate less and eventually someone is going to get burned. 0-day java exploits, bitcoin specific malware, etc. Too much to lose, too difficulty to get it back. So many people want to spend hundreds of hours after the fact playing internet detective (usually with a 0.00% recovery) when a cheap 2FA done properly would prevent them from ever losing anything to begin with.
We shouldn't be advocating for noobs (especially ones who may not fully understand the reduced security) to half-ass security and then wonder why they get robbed.
April 23, 2013, 11:03:38 PM
I don't have a smart phone but I see there may be something similar for windows or for html. Maybe I will have to go with that. I need to get a smartphone but haven't had time to figure that out.
Understand though that 2FA means TWO FACTORS. that is two independent systems that to compromise the account BOTH need to be compromised simultaneously. Having your authenticator on the same computer you login would be like getting two locks for your front door and putting both keys side by side under the mat.
a) get google authenticator on a smartphone
b) get a yubikey
c) have your account compromised and lose potentially tens of thousands of dollars
April 23, 2013, 10:59:57 PM
I don't have a smart phone but I see there may be something similar for windows or for html. Maybe I will have to go with that. I need to get a smartphone but haven't had time to figure that out.
Understand though that 2FA means TWO FACTORS. that is two independent systems that to compromise the account BOTH need to be compromised simultaneously. Having your authenticator on the same computer you login would be like getting two locks for your front door and putting both keys side by side under the mat.
a) get google authenticator on a smartphone
b) get a yubikey
c) have your account compromised and lose potentially tens of thousands of dollars
April 23, 2013, 10:46:54 PM
I don't have a smart phone but I see there may be something similar for windows or for html. Maybe I will have to go with that. I need to get a smartphone but haven't had time to figure that out.
April 23, 2013, 10:30:53 PM
I use the Google Authentication for so much stuff.
Multiple G-mail Accounts.
Dropbox.
Lastpass.
Gox
Just wish I could use it for battle.net instead of Blizzard's homegrown one.
Also wish Twitter would get multi-factor auth already...
Multiple G-mail Accounts.
Dropbox.
Lastpass.
Gox
Just wish I could use it for battle.net instead of Blizzard's homegrown one.
Also wish Twitter would get multi-factor auth already...
April 23, 2013, 10:28:24 PM
If you have a smartphone download the Google Authenticator app.
+1. It's way easier than carrying around one of those fob things!
April 23, 2013, 09:37:52 PM
If you have a smartphone download the Google Authenticator app.
Android:
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&feature=search_result#?t=W251bGwsMSwyLDEsImNvbS5nb29nbGUuYW5kcm9pZC5hcHBzLmF1dGhlbnRpY2F0b3IyIl0.
iPhone:
https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
Android:
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&feature=search_result#?t=W251bGwsMSwyLDEsImNvbS5nb29nbGUuYW5kcm9pZC5hcHBzLmF1dGhlbnRpY2F0b3IyIl0.
iPhone:
https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
April 23, 2013, 08:59:31 PM
Hey I don't even know what a Software Authenticator is yet but I'm getting very nervous lately about having a significant amount of funds (for me) in my Mt Gox account. So I would like to increase the security for both login and withdrawls.
I googled software authenticator and seems like Safenet makes some but they look like hardware, not software to me. Here are some on ebay:
http://www.ebay.com/sch/i.html?_trksid=p2050601.m570.l1313.TR12.TRC2&_nkw=safenet&_sacat=0&_from=R40
But just please tell me what you guys recommend and I will get on it. Thanks.
I googled software authenticator and seems like Safenet makes some but they look like hardware, not software to me. Here are some on ebay:
http://www.ebay.com/sch/i.html?_trksid=p2050601.m570.l1313.TR12.TRC2&_nkw=safenet&_sacat=0&_from=R40
But just please tell me what you guys recommend and I will get on it. Thanks.
Jump to: