Bitcoin Forum
December 07, 2016, 04:35:19 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Proposal: Better authentication for online trading sites like MtGox  (Read 750 times)
Joise
Jr. Member
*
Offline Offline

Activity: 30


View Profile
June 19, 2011, 08:08:19 AM
 #1

I have read several messages stating that accounts at MtGox
became compromised.

While I can't verify them, I think it's a really Bad Idea to
link password recovery to email security by sending a recovery
password for a trading site to a mail account. Mail accounts are
checked most frequently and in all possible places. People are
apt to use weak passwords for mail. Login credentials
may be sniffed when using WiFi connections on mobile
devices. Computers of other people may be used where
keyloggers and trojans are already in place.
Once your mail account is stolen, your trading
account is compromised as well.

What I propose is to use PGP/GnuPG signatures for
re-authentication of accounts and mTAN for auhtentication of
transactions. That would work as follows:

1) First you need to generate a PGP key with your
favorite software. If you want good security,
you will move the keys to a SmartCard device, which
are sold by various non-governmental entities.

2) When you register to an online trader, you can
enter your PGP keyid and public key. You can also
check the fingerprint of the key you just did upload.
Password reset by email would be switched off.
The key will be bound to the tradings account so that
a new key can replace the exiting one only if it is
signed by it.

3) In case you lose your password, you enter your
user ID and key ID at a web form. The trading site
gives you an authentication phrase and asks you to sign
it with your secret PGP key.
When you upload the signed phrase, the signature
is verified and you can enter a new password.

4) A further, very important improvement would be
to use an adption of the well-established mTAN principle.
With this, you register the number of a mobile phone at your
trading account and sign it with your PGP key. Then, every
transaction will be authenticated that way that a five-digit code is
sent by SMS to your mobile device. Only after you enter
that code, the transaction is done. This is much
more secure than password-only authentication.

Advantages of GPG authentication:

- Does not rely on weak email security
- Does use existing infrastructure and well-established,
  thoroughly audited software
- Preserves anonymity, but would also fit nicely in
  GPG-based Webs of Trust
- Allows for two-factor authentication by Open Hardware
- Can be provided as an opt-in solution. People who
  don't care for more security don't have to use it.

Advantages of mTAN authentication for transactions:

- easy to use
- well-established in many places
- prevents theft by keyloggers

Joise
1481128519
Hero Member
*
Offline Offline

Posts: 1481128519

View Profile Personal Message (Offline)

Ignore
1481128519
Reply with quote  #2

1481128519
Report to moderator
1481128519
Hero Member
*
Offline Offline

Posts: 1481128519

View Profile Personal Message (Offline)

Ignore
1481128519
Reply with quote  #2

1481128519
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
willphase
Hero Member
*****
Offline Offline

Activity: 770


View Profile
June 19, 2011, 09:15:32 AM
 #2

Step 1 mtgox accepts openid
Step 2 create a google account with two factor authentication enabled
Step 3 profit

Will

hart
Newbie
*
Offline Offline

Activity: 14



View Profile WWW
June 19, 2011, 10:44:54 AM
 #3

Step 1 mtgox accepts openid

If only. =[

Michael Hart // Technology, Bitcoin Enthusiast
Donate: 1GnNjEyPftRr9kutQjATeQxAXzaRZrvyTg
TradeHill: https://www.tradehill.com/?r=TH-R16317
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!