|
Title: 2 factor auth for the bitcoin client ? Post by: Bitcoin Oz on July 12, 2012, 02:47:29 AM I searched for this but couldnt find it. Im in the habit of setting up 2 factor auth on any bitcoin service that I use and was wondering if this is something the bitcoin client itself would ever support ?
I think this one feature would cut down a lot of theft and if your wallet required it even if a hacker got your wallet they still need your 2 factor device to use it. It might save a lot of lost coins. Title: Re: 2 factor auth for the bitcoin client ? Post by: Stephen Gornick on July 12, 2012, 03:54:20 AM I think this one feature would cut down a lot of theft and if your wallet required it even if a hacker got your wallet they still need your 2 factor device to use it. It might save a lot of lost coins. http://thejeshgn.com/blog/wp-content/uploads/2012/06/g2fa.jpg - http://thejeshgn.com/2012/06/11/pyg2fa-python-library-google-authenticator-with-web-app/ One time passwords (OTP) are useful for protecting against replay attacks, such as what might occur on a compromised system that has a malware keylogger. But to support this, the Bitcoin.org client would need to know the key. If that key were stored on the filesystem or in the database it would need to be stored unencrypted. So if the attacker has access to the database then the attacker has access to the key. If the key weren't stored, and instead the user were prompted for the key, that would be something vulnerable to a replay attack. So you really don't get much benefit from adding OTP to the Bitcoin.org client. Now, a Yubikey can still be useful with the Bitcoin.org client though. Although this has nothing to do with two-factor authentication, I see the Yubikey also supports a static password capability. So if I understand Yubikey's documentation correctly, you could use the Yubikey in this static password mode when using the BItcoin.org client's wallet encryption. You simply have Yubikey provide the passphrase used to encrypt the keys and then use the Yubikey each time the client asks for the passphrase (e.g., to add a new address or to send a payment). I see the Yubikey support dual mode capability meaning you can use it for both a TOTP purpose and for a static password purpose as well. I don't know if the Yubikey's from Mt. Gox still have this capability as those are modified Yubikeys. Title: Re: 2 factor auth for the bitcoin client ? Post by: Meni Rosenfeld on July 12, 2012, 03:58:39 AM This will be possible eventually using multi-signature transactions.
Title: Re: 2 factor auth for the bitcoin client ? Post by: Bitcoin Oz on July 12, 2012, 06:00:42 AM I think this one feature would cut down a lot of theft and if your wallet required it even if a hacker got your wallet they still need your 2 factor device to use it. It might save a lot of lost coins. http://thejeshgn.com/blog/wp-content/uploads/2012/06/g2fa.jpg - http://thejeshgn.com/2012/06/11/pyg2fa-python-library-google-authenticator-with-web-app/ One time passwords (OTP) are useful for protecting against replay attacks, such as what might occur on a compromised system that has a malware keylogger. But to support this, the Bitcoin.org client would need to know the key. If that key were stored on the filesystem or in the database it would need to be stored unencrypted. So if the attacker has access to the database then the attacker has access to the key. If the key weren't stored, and instead the user were prompted for the key, that would be something vulnerable to a replay attack. So you really don't get much benefit from adding OTP to the Bitcoin.org client. Now, a Yubikey can still be useful with the Bitcoin.org client though. Although this has nothing to do with two-factor authentication, I see the Yubikey also supports a static password capability. So if I understand Yubikey's documentation correctly, you could use the Yubikey in this static password mode when using the BItcoin.org client's wallet encryption. You simply have Yubikey provide the passphrase used to encrypt the keys and then use the Yubikey each time the client asks for the passphrase (e.g., to add a new address or to send a payment). I see the Yubikey support dual mode capability meaning you can use it for both a TOTP purpose and for a static password purpose as well. I don't know if the Yubikey's from Mt. Gox still have this capability as those are modified Yubikeys. Interesting way to do it. |
