Bitcoin Forum

Economy => Service Discussion => Topic started by: Rampion on March 19, 2013, 04:17:29 PM


Title: MtGox security: Yubikey vs Google Authenticator
Post by: Rampion on March 19, 2013, 04:17:29 PM
I've been awarded with a free Yubikey at MtGox. I had already set up a Google Authenticator, and now I have a doubt:

Which solution you like better? Yubikey or GA?

I see two different pros and cons:

  • Yubikey looks more secure, as I'm sure that smartphone malware targeting Google Authenticator (among other things) is on his way
  • On the other side, Google Authenticator seems easier to backup. For MtGox specifically, you just have to print the QR code at set-up, and your set. What about Yubikey? What happens if you loose it/break the key? I will have it in my keyring... And that's a place where is getting a lot of "action" (bouncing around with coins, keys, etc.)

Opinions?

Title: Re: MtGox security: Yubikey vs Google Authenticator
Post by: Rampion on March 27, 2013, 08:32:32 AM
Quote from: deathcode on March 27, 2013, 04:00:52 AM
Quote from: Rampion on March 19, 2013, 04:17:29 PM
I've been awarded with a free Yubikey at MtGox. I had already set up a Google Authenticator, and now I have a doubt:

Which solution you like better? Yubikey or GA?

I see two different pros and cons:

  • Yubikey looks more secure, as I'm sure that smartphone malware targeting Google Authenticator (among other things) is on his way
  • On the other side, Google Authenticator seems easier to backup. For MtGox specifically, you just have to print the QR code at set-up, and your set. What about Yubikey? What happens if you loose it/break the key? I will have it in my keyring... And that's a place where is getting a lot of "action" (bouncing around with coins, keys, etc.)

Opinions?

You should have both setup. Both methods are two factor-authentication. even if both of those methods are compromised, you still have your regular user/pass as a security feature. Also, why would you keep your key on a keychain with other keys, coins, etc? your yubikey belongs to a safe place in your house and you should use it as a secondary method (if you have google authenticator enabled)
At least that's my setup.
I hope it helps.

Thanks for the info. Si if I set up both (GA and Yubikey), I will just need ONE of them to withdraw (for example) - is it correct?

That would be cool, because it would be like a sort of "backup" of the 2FA

Title: Re: MtGox security: Yubikey vs Google Authenticator
Post by: deathcode on March 27, 2013, 01:44:58 PM
Quote from: Rampion on March 27, 2013, 08:32:32 AM
Quote from: deathcode on March 27, 2013, 04:00:52 AM
Quote from: Rampion on March 19, 2013, 04:17:29 PM
I've been awarded with a free Yubikey at MtGox. I had already set up a Google Authenticator, and now I have a doubt:

Which solution you like better? Yubikey or GA?

I see two different pros and cons:

  • Yubikey looks more secure, as I'm sure that smartphone malware targeting Google Authenticator (among other things) is on his way
  • On the other side, Google Authenticator seems easier to backup. For MtGox specifically, you just have to print the QR code at set-up, and your set. What about Yubikey? What happens if you loose it/break the key? I will have it in my keyring... And that's a place where is getting a lot of "action" (bouncing around with coins, keys, etc.)

Opinions?

You should have both setup. Both methods are two factor-authentication. even if both of those methods are compromised, you still have your regular user/pass as a security feature. Also, why would you keep your key on a keychain with other keys, coins, etc? your yubikey belongs to a safe place in your house and you should use it as a secondary method (if you have google authenticator enabled)
At least that's my setup.
I hope it helps.

Thanks for the info. Si if I set up both (GA and Yubikey), I will just need ONE of them to withdraw (for example) - is it correct?

That would be cool, because it would be like a sort of "backup" of the 2FA
Entirely up to you. You can setup the google auth for all three option (security, login, withdrawal) and yes, you'll need only one.


Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines