Bitcoin Forum

Hey All,

I just wanted to post some pictures of the Yubikey I got from Mtgox - Mark is currently running a beta test to ~50 people to work out the bugs.

http://www.incoherentphotography.com/uploads/SS-2011-07-05_17.56.02.jpg

the QR code and serial are obfuscated for security purposes ;)

http://www.incoherentphotography.com/uploads/SS-2011-07-05_17.57.58.jpg

purchasers will get a nice Mtgox lasered one, I believe.

sorry about the image, my camera is out for repair.

http://www.incoherentphotography.com/uploads/SS-2011-07-05_17.59.55.jpg

The yubikey is recognized as a USB input device. All I have to do is touch the contact (the glowing part) and it'll enter in a code, and press enter.

If you have yubikeys enabled on your account, you are greeted with this message AFTER you log in with your username and password.
http://www.incoherentphotography.com/uploads/SS-2011-07-05_18.01.54.jpg

I was able to log in using nothing in the yubikey authentication box until I used the yubikey for the first time. Pressing only enter would kick me back log-in screen (I would have to enter in username and password again)

What I observed:
1. Keys cannot be used twice
2. If I generate many keys, I can use them all if used in order of generation. If I use the last key generated, all previous keys become invalid.
3. I'm not sure when the keys expire after generation.

More to come as I poke around more.

Edit: Oh yeah, Mtgox will be selling them for 29.99 shipped. BTC accepted, of course. ;)

cant wait.. mt gox really is lifting its game

Very interesting. Thanks for the post and please keep us informed as you run it through initial tests.

yes, i installed mine yesterday and it works as you described.  i'll add that Mark said yesterday that Withdrawal will be added shortly.

when you speak of "keys", do u mean the series of letters entered into the OTP box by the Yubikey?  how do you know how many of them there are?  i also noted they're just alpha and was surprised it didn't generate numerics in the password as well.

whats the purpose of the QR code?

i don't understand what you mean by the following.  can u expound on each of them please?:

"1. Keys cannot be used twice
2. If I generate many keys, I can use them all if used in order of generation. If I use the last key generated, all previous keys become invalid.
3. I'm not sure when the keys expire after generation."

Funny! :) I actually my self ordered a YubiKey just a couple of days ago - arrived today.
We're implementing it at Bitcoins.lc as we speak.

The code input is made of letters only, and only some letters to be keymap-independent (this way even if your computer is configured for azerty or qwerty, it'll work fine). The string is in fact hexadecimal (yubico calls this "modhex", modified hexadecimal) and is a 22 bytes string made of 6 fixed bytes, and 16 bytes which are various informations encrypted with AES128.

The auth server has a copy of the 128bits key used on the yubikey, and will try to decrypt the string. It'll then check counters in there and will only accept the code if its counter is higher than the last seen code.

It means:

• A code cannot be used more than once
• Only a code more recent than the latest used code can be used
• A code will not expire in terms of time, but only if a more recent code is used on the site

A question to you MT - are you using your own key/validationserver?
I've gotten a couple of questions if It's possible to use the same key for both Bit LC and MTGox - and it all depends on if you're using yubicloud or not.

In either way - the MTGox-keys are based upon YubiKey 2.2 if i see correctly - which supports double identities - so it should not be a issue anyway.

Thanks for the info:


Will this yubikey be used for login only or to authenticate orders too?

I think only the latter would be safe when doing a BTC withdraw for example on a corrupted PC

Yubico replied to my tweet to Mt. Gox:


You can see the tweet  here (https://twitter.com/Yubico/status/88462229392998400).

For information it is now possible to order the yubikeys on mtgox, after logging in.

We are currently evaluating the possibility of selling half-locked keys that would be usable with yubicloud, and with other yubikey-enabled websites, which may be less secure as a rogue site could use your login token to login on mtgox instead of validating it with yubicloud.

Hey MT, is there a shipping fee for international buyers or is it included in the cost?

The shipping fee is included in the price for any destination. Depending on your country's customs you may have to pay a tax.

What scheme is Mt. Gox using? Are they using Yubikey's verification servers? Do they generate the key and burn it into the token themselves? Or can the user program the token?

This really needs a smartphone app. :)

what happened to the offer to give these away you made on onlyonetv bitcoin show when your site was hacked. you said they would be free to peeps who had trades reversed, ie inconvenienced..

Good idea.

i stand corrected, they are free if your account was affected like mine !

http://image.bayimg.com/bajgkaada.jpg

If Gox lets you program your own Yubikey, you can do the same thing without a Yubikey. The algorithm is public and well-documented. It's basically just AES.

Woah ! nice gift this is from MtGox !!!  Ordered mine, but bye bye anonymity ahah

We use our own AES keys (two random AES key by user) and burn the tokens.

We will provide in the future an option to unlink a token and retrieve the keys & programming codes.

That's cool. I'm still locked out of my account!

:(

hope that is fixed soon.

The only issue I have with my yubikey is that it keeps disappearing on my desk.  ::)

User error!  ;D

yes, "ID 10 T" error here.

I had nothing to do with it!

sounds good.

Will the trading api still work if your account has a yubikey associated with it?

Yep, except for withdraw. Once things are setup (this week) you'll be able to generate API keys for your account and define rights for each key, and stop using your login/pass to access  the API.

you might want to change your process such that you enable the yubikey login only after ensuring that the key arrived and the user got hold of it. I would suggest to make a yubikey entry from a logged in user necessary to activate yubikey authorization.

otherwise you will lock out customers with slow snail mail... 

at least waiting only two days until lock down is way short ::)   

They already do this... Until you get your Yubikey and use it for the first time, just hit enter at the Yubikey prompt to bypass it.

sweet it works just fine  ;D  thanks!

would have been nice to know up front, though - rtfm? no answer from gox for 40 hours  ???

good thing I did not sell anything...

On the old website, I think there was a message clearly visible, but I don't think this is the case on the new site.