Bitcoin Forum

I've seen more movement in the space, and I wonder what is the most secure, or preferred two-factor solution for Bitcoin based accounts.

I suppose multi-sig transactions are a form of 2fa, would it be possible to make the process more fluid?

Would it be possible to actually use smart contracts with a two factor mechanism?

Do you trust Google 2fa or SMS based 2fa?

Do you think it's possible to create a more secure solution that is not centralized, or centralized is the way to go?

At the moment I use Google Authenticator. I think it's good enough.

However I would like to see a non-centralized solution.
For example having a BTC private key on the mobile, have the website or site generate a random text and signing it with the mobile.
Of course a modification would be required to keep the final signature short.

I don't trust 2-factor security for large transactions, because of the centralized service involved. Looking into multi-sig solutions ATM, maybe that's the future.

I recommend offline signage with Armory or Trezor!

2fa google one, should be your best choice

personally i like the one with the code, which work on older phone also

It depends on what you mean by 'decentralized'.  There is no need for an 2FA to be decentralized because it involves two parties (user & server) who can communicate directly.  I assume you mean without a third party.  Google authenticator is based on an open standard.  The app is simply a 'OTP calculator'.  It doesn't communicate with any third party server.  Likewise the website or service which is using google authenticator also doesn't need to use any third party service.  They have the same 'seed' and using the same open source algorithm can generate the same code to verify the code you provide is correct.

It would be nice if there was an open source equivelent for the mobile app.  Maybe one exists?  I am not sure.

"Decentralized" means for me "on the blockchain".
Someone has to verify my google authenticator code, that's the server involved here.

We're talking about 2FA to log-in to a server, right? And that same server is the one verifying whether our 2FA code is OK.
How could that be prevented? How can the server know if the code is OK without verifying it itself?

Multi-sig verification relies on the blockchain. 2-factor verification only relies on a server granting access (like blockchain.info), so you have to give up the control over your precious bitcoins.

It seems we all agree here. We just need to know what exactly OP meant with this question, otherwise we're interpreting it differently.

You may be interested by this demo (http://vps90685.ovh.net:8081/).
It's a PoC for 2FA implemented with BitId (https://github.com/bitid/bitid) as a second factor (login/password as first factor).

Note that we could also have a schema in which all credentials are Bitid (and get rid of the login/password)

FreeOTP (which is OSS) is available for both Android and iOS: https://fedorahosted.org/freeotp/ (https://fedorahosted.org/freeotp/). I've been using it for a little less than a year now with no problems.

It is maintained by a Red Hat employee (I'm not clear if it's actually sponsored by Red Hat, not that it matters to me).

Don't know if this counts but the MOST secure would probably be address signing. Site asks you to sign your username with the current timestamp (in seconds) and if it verifies they let you through. Quite a hassle opening your wallet and signing everytime you want to login.

Yes that was my first suggestion. It's a hassle as things are now. But it could work with some changes. For example:

- User has the private key stored on the mobile on an app with QR Code scanning capabilities
- The website shows a QR Code with the user's username and date, plus a base URL (https://example.com/2fa/?session=sessionID&signature=)
- The user scans that QR Code with the app.
- The app signs the message (optionally asks for the password if the private key is encrypted) and calls the provided URL (https://example.com/2fa/?session=sessionID&signature=abcSignatureHere[/b])
- The website detects username posted his signature and let's the user log in

This is just a basic idea. But this way there would be no typing required, would be very fast and the actual private key would never be sent anywhere.

It's impossible to say what the "best" TFA is.... It's a part of a system where if one part breaks, the whole thing is for nothing... To label one "the best" without looking at the other pieces is impossible... Moreso because we only see closed solutions (closed source apps, closed source hardware, etc), so we can only guess as to how good the RNG's involved are...

This is what NameID (see my signature) does, although with Namecoin addresses instead of Bitcoin (since Namecoin gives a natural correspondence between "usernames" and addresses).

I didn't know about this. I will definitely check it. Thanks for sharing.
I know Namecoin makes sense because of the name part but probably it'd be worth implementing it with bitcoin so it's more popular.

Polling the community to see what people prefer to use for 2fa, I've been curious as to what the community thinks is their preferred solution, while there is no best persey, each situation is different just gauging what others think.

I actually just finished integrating Clef (https://getclef.com/) into one of my sites (https://CoinDaddy.io) to handle 2-factor authentications and it works great!

Previously I was using gauthify.com and paying like $25/mo for the service. The Clef service is 100% free for companies to use for login authentication... I think you only pay if you want some premium features. Also the fact that your able to register on a site, or login to a site simply by scanning the screen with your phone is way faster than typing out registration/login details. Not to mention the wave login page looks wicked cool... no more boring qrcodes or typing google authenticator codes.

The staff was also really friendly. I signed up as a developer and within a few minutes I had an email from a company staff member offering help with the integration, which only took a few minutes. They helped test the integration and have been nothing but highly professional.

If anyone is looking for some good/cheap/secure 2FA authentication for their website, I would highly suggest getclef.com

And no... this is not a paid shill account.. I just created this account a few minutes ago because I don't use this forum very often and can't remember the password to my old account. :)

J-Dog

CoinDaddy looks awesome Jdog

I've had plenty of trouble with phone-based 2FA. If it's offered I go with printed one time codes. An oldie but a goldie.

I got Authy with me, idk but it's good for me ;D
It can store many 2FA Accounts ;D

yubikey neo with yubico authenticator

2fa codes are stored on the token

I wonder how that works. Is the neo the one with bluetooth and is it communicating with the authenticator app on your smartphone? Is it time-based?

The NEO has both USB and NFC interface.
You can use Yubico Authenticator desktop version (Windows/Mac/Linux) or the Android app.
Both time-based (TOTP) and event-based (HOTP) are supported, but since all Yubikeys including NEO has no clock on it,
Yubico Authenticator has to send time data to the Yubikey in order to get TOTP back.