Pages:
Author

Topic: You are eligible for a free Yubikey! (Read 5773 times)

newbie
Activity: 29
Merit: 0
July 04, 2012, 01:31:17 PM
#41
From the blockchain website:

Quote
Can I use my Mt. Gox Yubikey?
Yes. Be sure to select "Mt Gox Yubikey" in the Two factor authentication select box.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
July 04, 2012, 12:44:36 PM
#40
The Yubikey output contains the serial number, an OTP, an incrementing counter, and possibly some other things that I have forgotten. It is not time limited, so you could generate (say) 15 OTPs in a row from an offline computer, and record them on a bit of paper for later use, as long as they were used sequentially. This would work, but it would be tedious to type in every time.

Got it, the counter. Thanks.
The other thing is that you can skip OTPs if you want to, because of that counter. Therefore, you could generate a bunch of keys, but as soon as you used key #15 from the example above, all the previous ones would become invalid unless you had used them in sequence.
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
July 04, 2012, 12:39:04 PM
#39
Does it actually protect you from key logger  ? Mine gets installed as HID device.. i would imagine key logger could see the output ? same as a keyboard ??

Alright, yubikey will protect my account in case a keylogger is running on my computer. Is that all? How about the security of gox android app?

The idea behind it is that each password it generates can only used one time.  Every time you press that button a new password is generated, and as long as the most recent one was used to log into Mt.Gox any old ones will be invalid.  Someone will need physical access to your yubikey to log into your account.

However if you like to play around with your new yubikey and watch it type random passwords in notepad, an attacker could use one of these passwords to log into your account.  Always make sure you log into your Mt.Gox account with the last password generated by your yubikey and do not generate any more yubikey passwords after you log in!

Good point. On a related note, how much ahead from the last used password does their server try going to match my input? If I use the otp once, log off, then generate a seqence of 15 OTPs offline, will gox keep going 16 times the next time I log in? Or does yubi broadcast a serial number with the OTP?
The Yubikey output contains the serial number, an OTP, an incrementing counter, and possibly some other things that I have forgotten. It is not time limited, so you could generate (say) 15 OTPs in a row from an offline computer, and record them on a bit of paper for later use, as long as they were used sequentially. This would work, but it would be tedious to type in every time.

Got it, the counter. Thanks.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
July 04, 2012, 10:02:37 AM
#38
Does it actually protect you from key logger  ? Mine gets installed as HID device.. i would imagine key logger could see the output ? same as a keyboard ??

Alright, yubikey will protect my account in case a keylogger is running on my computer. Is that all? How about the security of gox android app?

The idea behind it is that each password it generates can only used one time.  Every time you press that button a new password is generated, and as long as the most recent one was used to log into Mt.Gox any old ones will be invalid.  Someone will need physical access to your yubikey to log into your account.

However if you like to play around with your new yubikey and watch it type random passwords in notepad, an attacker could use one of these passwords to log into your account.  Always make sure you log into your Mt.Gox account with the last password generated by your yubikey and do not generate any more yubikey passwords after you log in!

Good point. On a related note, how much ahead from the last used password does their server try going to match my input? If I use the otp once, log off, then generate a seqence of 15 OTPs offline, will gox keep going 16 times the next time I log in? Or does yubi broadcast a serial number with the OTP?
The Yubikey output contains the serial number, an OTP, an incrementing counter, and possibly some other things that I have forgotten. It is not time limited, so you could generate (say) 15 OTPs in a row from an offline computer, and record them on a bit of paper for later use, as long as they were used sequentially. This would work, but it would be tedious to type in every time.
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
July 04, 2012, 09:54:59 AM
#37
Does it actually protect you from key logger  ? Mine gets installed as HID device.. i would imagine key logger could see the output ? same as a keyboard ??

Alright, yubikey will protect my account in case a keylogger is running on my computer. Is that all? How about the security of gox android app?

The idea behind it is that each password it generates can only used one time.  Every time you press that button a new password is generated, and as long as the most recent one was used to log into Mt.Gox any old ones will be invalid.  Someone will need physical access to your yubikey to log into your account.

However if you like to play around with your new yubikey and watch it type random passwords in notepad, an attacker could use one of these passwords to log into your account.  Always make sure you log into your Mt.Gox account with the last password generated by your yubikey and do not generate any more yubikey passwords after you log in!

Good point. On a related note, how much ahead from the last used password does their server try going to match my input? If I use the otp once, log off, then generate a seqence of 15 OTPs offline, will gox keep going 16 times the next time I log in? Or does yubi broadcast a serial number with the OTP?
member
Activity: 104
Merit: 100
July 04, 2012, 07:56:19 AM
#36
Does it actually protect you from key logger  ? Mine gets installed as HID device.. i would imagine key logger could see the output ? same as a keyboard ??

Alright, yubikey will protect my account in case a keylogger is running on my computer. Is that all? How about the security of gox android app?

The idea behind it is that each password it generates can only used one time.  Every time you press that button a new password is generated, and as long as the most recent one was used to log into Mt.Gox any old ones will be invalid.  Someone will need physical access to your yubikey to log into your account.

However if you like to play around with your new yubikey and watch it type random passwords in notepad, an attacker could use one of these passwords to log into your account.  Always make sure you log into your Mt.Gox account with the last password generated by your yubikey and do not generate any more yubikey passwords after you log in!
legendary
Activity: 910
Merit: 1000
★YoBit.Net★ 350+ Coins Exchange & Dice
July 04, 2012, 06:50:16 AM
#35
Does it actually protect you from key logger  ? Mine gets installed as HID device.. i would imagine key logger could see the output ? same as a keyboard ??

Alright, yubikey will protect my account in case a keylogger is running on my computer. Is that all? How about the security of gox android app?
hero member
Activity: 743
Merit: 500
July 04, 2012, 04:55:44 AM
#34
wow very fast delivery just 5 days
arrived today . Thanks Mtgox.
hero member
Activity: 530
Merit: 500
July 03, 2012, 08:46:40 AM
#33
Also arrived in Holland. Thanks Mtgox. Though, it's not working for some reason. It's not generating a OTP. =/
Make sure the USB keyboard driver gets installed when you plug it in. It might take a few seconds to be detected. You can play with it in an instance of a text editor such as notepad. A short press means hold for half a second, you can't just tap it real quick. A long press means hold it for 3.5 sec or so, but if you hold it too long it might not go.
Where can I find this driver? It's not on the homepage of yubico for instance.
It should install itself as a standard USB keyboard or HID device, there isn't a driver to download.
Thats weird, it's not doing anything when I connect it.
Tried multiple USB input ports.

Edit: nvm.. its working now. Weird.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
July 03, 2012, 08:39:07 AM
#32
Also arrived in Holland. Thanks Mtgox. Though, it's not working for some reason. It's not generating a OTP. =/
Make sure the USB keyboard driver gets installed when you plug it in. It might take a few seconds to be detected. You can play with it in an instance of a text editor such as notepad. A short press means hold for half a second, you can't just tap it real quick. A long press means hold it for 3.5 sec or so, but if you hold it too long it might not go.
Where can I find this driver? It's not on the homepage of yubico for instance.
It should install itself as a standard USB keyboard or HID device, there isn't a driver to download.
hero member
Activity: 530
Merit: 500
July 03, 2012, 08:28:49 AM
#31
Also arrived in Holland. Thanks Mtgox. Though, it's not working for some reason. It's not generating a OTP. =/
Make sure the USB keyboard driver gets installed when you plug it in. It might take a few seconds to be detected. You can play with it in an instance of a text editor such as notepad. A short press means hold for half a second, you can't just tap it real quick. A long press means hold it for 3.5 sec or so, but if you hold it too long it might not go.
Where can I find this driver? It's not on the homepage of yubico for instance.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
July 03, 2012, 08:01:27 AM
#30
Also arrived in Holland. Thanks Mtgox. Though, it's not working for some reason. It's not generating a OTP. =/
Make sure the USB keyboard driver gets installed when you plug it in. It might take a few seconds to be detected. You can play with it in an instance of a text editor such as notepad. A short press means hold for half a second, you can't just tap it real quick. A long press means hold it for 3.5 sec or so, but if you hold it too long it might not go.
hero member
Activity: 530
Merit: 500
July 03, 2012, 06:16:48 AM
#29
Also arrived in Holland. Thanks Mtgox. Though, it's not working for some reason. It's not generating a OTP. =/
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
June 29, 2012, 04:55:30 PM
#28
Alright, yubikey will protect my account in case a keylogger is running on my computer. Is that all? How about the security of gox android app?
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
June 28, 2012, 08:41:38 PM
#27
I got a free one from Gox too 2-3 months ago. They sent it straight from Japan in some cool Japanese envelopes with a crazy amount of tickboxes on it. (all the customs declarations)
Grin I actually paid for mine, and I got 2 in the mail, one had someone else's name lol. Whoops.
donator
Activity: 848
Merit: 1078
June 28, 2012, 02:07:48 AM
#26
I got a free one from Gox too 2-3 months ago. They sent it straight from Japan in some cool Japanese envelopes with a crazy amount of tickboxes on it. (all the customs declarations)
legendary
Activity: 3066
Merit: 1147
The revolution will be monetized!
June 27, 2012, 06:46:59 PM
#25
Are we 100% sure this is from Mt.Gox and not a phishing expedition.

LoL....yes 100% sure.  I didn't click the link in the email, I went to my browser and typed in the address.  Logged in and gave my coupon code under buy a yubikey.
Thanks. Just in case I get such an offer. Cry   
legendary
Activity: 3066
Merit: 1147
The revolution will be monetized!
June 27, 2012, 06:38:37 PM
#24
Are we 100% sure this is from Mt.Gox and not a phishing expedition.
legendary
Activity: 1795
Merit: 1208
This is not OK.
June 27, 2012, 05:54:56 PM
#23
I got one too.... Dunno if I'll use it (eggs/basket etc), but it's free Smiley
donator
Activity: 1617
Merit: 1012
June 27, 2012, 05:13:20 PM
#22
My understanding was that a MtGox Yubikey was a Yubikey with an AES key put into it by MtGox.  Actually, that's two AES keys - one for the short press (logging in), and one for the long press (withdrawing funds).

AES is a symmetric algorithm - in this case, I understand this to mean that MtGox and the key know the same secret number.

That said, I don't understand how can a third party make use of a MtGox Yubikey without knowing that number?
I believe that you can validate against a given authentication server without needing to know the secret.
Yes. The same way that you can authenticate a generic Yubikey against the YubiCloud without knowing the private key that is pre-programmed in the 1st slot, you should be able to authenticate a Mt.Gox Yubikey if you have been given access to their authentication server.
Pages:
Jump to: