MTGOX unlinking process still needs improvement

[thoughtcourier]

Today, due to a bug with google auth, I lost my OTP (it was overwritten due to having the same name). The worst thing about this is that I was trying to move to an OTP that I had the app specific password for. Ironically, I was trying to prevent this exact issue from occurring:

If you lose your auth device, and you do not have a backup, you will be locked out for your account for two weeks and all limit orders will execute automatically

If there is some emergency process I could use for reauthentication, please let me/forums know.

Live chat conversation below:

MTGOXREP:
Hi there. How can I help today?
MTGOXREP: has joined the room
ME:
I accidentally locked out by overwriting my two factor auth device
ME:
I would not like to wait 2 weeks to unlink it, but that is sorta okay if there is really no way around it
ME:
but what about my pending orders?
MTGOXREP:
Please hold for a moment
ME:
ticket #XXXXX, thank you
MTGOXREP:
On checking the OTP unlink process is in process and the pending orders will be left open ,if there is a nearest sell order it will be executed
ME:
but I really would not like any of my orders to be execute
ME:
I'm locked out
ME:
executed*
ME:
I was trying to make it so I could restore my code if I lost it, and it just made things worse because of a bug with google auth.
MTGOXREP:
Sorry that you will be able to login only after the unlink process is complete
MTGOXREP:
As informed by XXXXX you could have cancelled the pending orders and then requested for unlink
MTGOXREP:
so you will have to wait until the OTP is unlinked to login normally
ME:
How does that make sense? work me through that workflow
ME:
I can't get in because I don't have OTP
ME:
how on earth would I cancel orders?
ME:
Suppose I canceled unlink now. How do I cancel my orders?
MTGOXREP:
Sorry as we will not be able to do manully and as you do not have OTP either even if the OTP unlink is stopped you will have to login with OTP as its linked with your account
ME:
This is the part that is not okay for me!
MTGOXREP:
We are unable to manully cancel as we will have to wait until the OTP is unlinked
ME:
I have Skype minutes, is there any way I can confirm my information with someone at mtgox? I cannot just let orders stand for two weeks while conditions change
MTGOXREP:
The orders will be executed when there is a nearest sell order automatically as you have funds in currency wallet
MTGOXREP:
it will be executed
ME:
Yes. I do not want them to be executed!
ME:
Is there no way to re-authenticate that I am the account owner? At least enough for you to cancel my orders?
MTGOXREP:
We are sorry as this process takes 2 weeks and unfortunately we are unable to do it manually
ME:
There is no emergency authentication process?
MTGOXREP:
Sorry there is no emergency authentication process
ME:
Well, thank you for your time, but this does not satisfy me and I may be bothering other people until something acceptable happens.
MTGOXREP:
Sorry that we do understand but as the process of unlink takes time we are unable to modify anything at this moment as its pre-defined

[catcow]

this is why i print out the qr code

[thoughtcourier]

this is why i print out the qr code

I realized the danger I was in if I ever lost my phone... and promptly stepped into it.
x.x

[zero3112]

I really don't believe them, how can they not have access to your account when its on there server and its there website.  I would think they would have all the private keys for everyone's bitcoins.

[samson]

You should always make a note of the keys when setting up an OTP like this.

However MtGox should be able to fix this problem, other exchanges can.

I know for a fact they do this on Bitcoin Central and have you back in the same day. They do a manual identification based on your pre submitted ID and just remove the OTP protection from your account.

This is another thing that's wrong with MtGox.

[John (John K.)]

If there's an easy way to unlink the OTP, I would be more concerned instead.

[thoughtcourier]

This seems more like an obstructive way to unlink an OTP more than a secure way. It resembles security theater to me.

If someone had my e-mail password (assuming I don't OTP to my e-mail, which I do), they would initiate the process, delete the e-mails, wait 2 weeks, and hope I don't catch on. It might work too, as I used to log onto gox only monthly to deposit bitcoins.

A phone call verifying non-public information would be much safer. Something safe and convenient would be to do a video call where I show I look exactly like my photo IDs and am in possession of them. It would be much harder to steal an account this way.

[thoughtcourier]

An update on this: The process seems automated and the account was unlocked 2 weeks after unlinking. The e-mail was sent exactly 24 hours before the unlinking to give me the best chance of resecuring my account before someone else got in. However, this fiasco is still not over...

After getting access to my account, I promptly went in there and locked myself out again. /sigh.

Apparently there is a bug and I am speculating as to what it is. I am guessing that the unlinking code does not delete the old 2FA and it's kept around and bound to another UI element. I suspect this because if you select "software authenticator" as what you want to relink with (It's usually not a selectable option, you have to pick an actual OTP), none of the OTPs which I created worked. Should have pulled up https://bitcointalk.org/index.php?topic=111943.0 and stepped through it instead of assuming I could fill out the page by myself. What a nightmare. If they don't fix this for me I'll be locked out for a month.