Bitcoin Forum

https://mtgox.com/press_release_20120605.html

TOKYO - JAPAN - June 5, 2012 - In our continuous effort to secure our users' Mt.Gox experience we are proud to announce our new Security Center where from one page you will be able to create your own security rules to match your needs.

Mt.Gox first introduced two factor authentication into its service with the YubiKey, a unique approach to security where people had to physically connect a device to their computer to safely and securely access to their account.

Today however we pushed the overall security experience further with the integration of our new Security Center that will allow our users to utilize a software-based two factor authentication system along with our existing YubiKey hardware solution.

Incorporating Google Authenticator, our new Security Center will allow anyone that installed this free software on their iPhone or Android device to quickly create rules on their Mt.Gox account to add another layer of security and flexibility.

From there you will be able to add one or more YubiKey or Google Authenticator OTPs to your account. To do so simply follow the on screen instructions to add your first authentication system.

Once done, just drag and drop your newly created security system to one of Mt.Gox’s three access control panels including : “Log In”, “Withdrawal” and “Security Center”

In our actual setup, one person could for example create rules that limit certain behavior on their account depending on which device is used to login to their account. We could imagine here that whenever you accessing your account with Google Authenticator with a smart phone you will have the ability to access to very basics features of your account whereas your home computer along with Google Authenticator or a Yubikey could in the other hand give you full control of your account.

Another example would be for verified corporate account holders to give certain staff basic access to the company Mt.Gox account to check vital sales data including payments details and orders while leaving the full control of deposit and withdrawals to the Company Owners or accountants.
We hope that our users will take advantage of this new Security Center and Google Authenticator to secure their accounts. With this new feature we have the opportunity to put an end to the phishing and hacking endemic "pandemic" which has plagued Bitcoin since its inception.

Regards,
Mt.Gox Co. Ltd Team.

Media Contacts
press@mtgox.com

'endemic' is usually used as an adjective to mean 'restricted or peculiar to a locality or region '

Unless you specifically mean to imply that phishing and hacking are phenomena which are peculiar to the Bitcoin ecosystem, this is an unfortunate wording.
Heck.. it's unfortunate even if you do mean that.

I think the word should be epidemic.

Hey it's about time this happened. I hope everyone starts using it, although I kind of doubt that they will.

Google Auth.  Sweet.  I will be enabling NOW.

On edit a couple of suggestions:
The terms "security center" and "extra security" are used interchangeably.  Seems like you need a name change and didn't update all the text?

When adding a Google Auth the term "secret" isn't exactly clear.  Something like "confirm current authentication code" or some kind of popup or info tag might help.  Or maybe I am just stupid without my morning coffee.

A well deserved Thank you for enabling a universal solution.  I have no need or desire to use yubikey as it is a single site solution.  Worse I usually access bitcoin exchange via remote desktop session which doesn't play nice with yubikey.  Google Auth allows me cellphone to authenticate multiple sites and it is always with me and it is itself protected by a strong login.

Lastly I love the idea of only "locking down" withdrawals.  Awesome idea.

+1 Very nice job Gox

Good job MtGox

You guys really are the frontrunners in security  :)

Thanks for your comments, we will check what can be don on the wording.

I'm trying to add a google authenticator to my account, but when I try to enter my private key into my phone the google app says that 8's and 9's are invalid characters.
 
edit: just to be sure... I'm supposed to be inputing the private key mt.gox generates into the google authenticator app in the field that says "enter your key" right? Thats how I'm interpreting it.

Do you have the same problem when scanning the QR Code?

Unfortunately my job requires that I not have phones capable of taking pictures. I have to type in the key manually.

edit: can anyone else test that for me? Maybe my phone is just plain stupid. See if you can input a 9 or 8 into the key field

You phone is not stupid, we found out what's going on and we are making some modification right now for you and people in your situation.

sweet! You guys rock. Next time I'm in Japan I'm going to bake you a cake

Mr Mt Gox,

Can I use a Yubikey I got directly from Yubico ? I know you can reprogram those things and the new ones have 2 configuration slots.

Please send an email to the support team for that.

Cheers

Should work now! Chose either one of the new 16Bit or 32 Bit Private Key

Alright! it works! Just attached my google authenticator to my account.

Why the option for 16bit or 32 bit keys? What's the purpose behind that?

Good question, our tech explained me the reason yesterday and I still have difficulty to still understand it, still some application will accept both and some only one... Your device is an Android Phone? iPhone?

Android, I used the 32 bit key.

I'm just saying because it may cause confusion

I have a question.  I have set up Google Authenticator for my Mt. Gox account on my Droid.  What happens if my phone is lost, stolen, breaks, or dies?  Am I locked out of my account?  If I set G.A. for withdrawls and Security Center only, and my phone is lost, stolen, etc., how can I make withdrawls?

I think you will need to provide with some information about your account IE: username, withdraw option, latest deposit..
But I would try not to loose it lol

One option (works for any google auth site) is to print out the QR code before enrolling your phone.  If you lose your phone and have the paper QR code backup you can just enroll another phone.  Make sure to keep the paper safe it essentially IS the 2nd factor.  Anyone with that QR code can generate the correct authentication number.

Great answer! Thanks D&T :)

Love my Yubikey

Thanks MtGox