Bitcoin Forum

I decided I'd better add some better security to my Mt.Gox account, so for the last few days I've tried to add a Yubikey.

But, it goes to this page which has 503 error, which has been like that for days now:
https://yubikey.mtgox.com/

I'm thinking now, is trying to get a Yubikey even worth it?

Are there any best practice methods of keeping your account at Mt.Gox secure?

Cheers

bigdude

I'm using Google Authenticator (for Android) to access MtGox with doble security, with no problems.

excellent idea - I just finished setting this up on my iPhone ... works perfectly

Thanks :)

Works fine for me, been using my Mt.Gox yubikey for a few months.  But please tell me you bought your yubikey from Mt. Gox directly right?

If so just log in from their main page - it will ask you to press your Yubikey when it's required after your normal credentials.  Go to security settings in Mt. Gox to alter the default Yubikey behavior.

umm, no ...


you from Yubikey? or MtGox?

And how would I even sign up for a yubikey at mtgox - the page https://yubikey.mtgox.com/ still has a 503 error - been like that for at least a week now -

Okay, seems a bit of confusion going on here, hope the following helps:

1. There is no URL "yubikey.mtgox.com" - it just redirects to their front page where you can log in.  I don't know where you got that URL but it's bogus so quit it. 
Steps to get a Mt.Gox Yubikey:  Sign into your account, go into the security area and order your yubikey.  You can pay in BTC.  It will arrive 1 or 2 weeks later in a cute Japanese shipping envelope.
You cannot use a youbikey which you purchase directly from Yubico as they must be preloaded with a secret key which is linked to your account in order for the one time password generator to be synchronized with the Mt. Gox servers.  They pre-install these special keys and configuration settings before they ship it to you to ensure that it works.  Keep it somewhere safe after it arrives because if you lose it, you won't be able to make a transaction on Mt. Gox until after a replacement arrives in the post.

2.  You can also use external authenticators such as Google's, but then you're gonna need to trust Google.  I have no doubt that they will keep your credentials safe, this was very well developed (partly by one of the lead bitcoin devs).  But Google does not need your credentials to harvest your gmail, web surfing activity and authentication requests.  Recent events have also shown that they will give this data to arbitrary authorities without warrant.  Yubikey has the benefit of being 100% private between you and Mt. Gox, and does not rely on BS like SMS messages which can be forwarded to bad guys if they get malware on your phone.

So pick your poison, but my money is on anything *not* Google when it comes to things that matter.

And for the record Yubikeys are AWESOME as they are the only way I know of to completely defeat malware driven Mt.Gox theft.  Keyloggers and SMS forwarders sitting on your compromised PC or smart phone can't beat a physical one time key generator that lives outside of your computer. 

That is at least until the Trezor is ready to ship!!!  :D  That will take us to a new level of security entirely....

Are you serious buddy????? 

Steps to reproduce:

1. Login
2. Click on Security Center
3. Click 'Add New' button below Yubikeys where it says 'No Yubikey has been linked'

Now tell me, that 'Add New' button - what URL does it go to?

Yup, it goes to https://yubikey.mtgox.com/ which gives a 503 Error.

That's the same URL that you say doesn't exist - "I don't know where you got that URL but it's bogus so quit it"

I got it from trying to get a Yubikey in MtGox.

Still wanna say its bogus ...

Woah bigdude, ease down and just answer if you bought the yubikey from Mt. Gox. 

-- If you did not, then as far as Mt. Gox is concerned - you don't have one.  I don't think they have a way to import user generated OAUTH HOTP keys from self purchased Yubikeys, and if they did I'd say it was a big security risk.  There are special keys one can put into each Yubikey for a variety of authentication methods including OAUTH HOTP which I suspect Mt.Gox uses.  These keys must be syncrhonized with the authenticating backend system.

I bought mine from Mtgox and it works perfectly.  I have no idea what URL's they use when I sign in, maybe that's one of them - but who cares.  It's easy and it works.  Maybe they have a bug that makes this bogus page visible to non "Mtgox Yubikey" owners erroneously...  If I recall, the "add new" is for use after you get your MtGox Yubikey in the post to essentially block a chosen transaction type unless the chosen authentication is successful.

And trust me, you don't need to worry about URL's or any technical mumbo jumbo if you get your key from Gox.  For me, there was an easy link somewhere in the MtGox interface that took me to a shopping cart where I bought my key, selected payment, set up shipping, blah blah.  FYI, while it's in transit, you'll notice that they update your account so you get a new "Press Yubikey" text field when you sign in.  You can leave it blank until your Yubikey arrives, but after your first use, you'll only be able to sign in with your Yubikey (unless you bypass the feature in your security settings - something you'd need your Yubikey to do and which i wouldn't recommend).

The nice letter you get with your new MtGox Yubikey explains all of this.

-- If you HAVE ordered your key from Gox and it doesn't work - then you need to contact their support guys to fix it because unless you've tampered with your Yubikey, it should work barring errors on their end before they shipped it to you.  Nobody on this forum would be able to help.

Nope - the whole point of this thread is that when I tried to order a yubikey from Mt.Gox, there is an error on the URL that the 'Add New' Yubikey button goes to.

So, no, I haven't because I can't, because the Mt.Gox site errors out.

I have used Google Authentication for now, because I CAN'T get a yubikey from Mt.Gox ... the page returns a 503 Error, remember.



You sound like you work for Yubikey - am I right?

No harm if you do.

Nah, i don't work for them, just want others to have the safety i enjoy with my yubikey.  If i did work for them i'd go fix that html bug!   And sorry i falsely thought you already had a yubikey you had bought elsewhere..  My bad!

Ran into this problem and found the following.

Internet Explorer 9 is always getting this error.

Using Google Chrome it WORKS FINE!

I did report this to Mt. Gox support.

I can't link my MtGox with my Iphone....I don't know what code I'm supposed to be putting in the Code line. I've tried scanning in QR Code pasting in the key just get errors all the time. My Yubi Key from Gox works great on the laptop. Just that now I have a Yubikey setup I can't get in with my Iphone how do I link them?....It says you can use Google authentictator for Iphone and Yubi for home pc...I just feel the instructions are a bit vague.