I concur that 2-factor authentication is a good idea, but there are a couple of problems. First, RSA SecureID keys (the "dongles" that an earlier poster mentioned) have been compromised recently. It's all over the news, and network security forums and mailing lists. I would not trust RSA as a factor until they've figured out what happened, how it happened, and taken measures to prevent a reoccurrence. Cell phones via text messages also have an issue -- some of us block texting on our phones because of spam. In the US, we pay per message sent OR RECEIVED. Verizon Wireless (the least nasty/best quality of the major US cell carriers) will credit your account with 10 cents when they remove a text spam, but they won't reverse the "hit" on your messaging allowance and you have to call them and wade through their phone tree EVERY FRICKING TIME YOU GET SPAMMED. :/ IMHO we need something better than either of these things for 2-factor authentication to be ready for prime time.
2-factor authentication also doesn't fix the real issue: not taking Bitcoin seriously enough. Any site that manages trading in Bitcoins (rather than using bitcoins as currency to trade in something else), conversion between bitcoins and other kinds of currency, or that hosts bitcoin wallets (accounts) needs to be AT LEAST AS SECURE as a bank or other financial institution web site. I'm a technical writer who works for a company that provides security for bank web sites and other web sites that handle highly sensitive private information. Most of these web sites have undergone multiple security audits, are carefully and professionally coded by software engineers who know how to block injected SQL from web forms, cross-site scripts, and cross-site request forgeries. They also sit behind sophisticated firewalls that look for and block these sorts of things.
None of this means that they can't be compromised; malware with a keylogger can still steal your logon and password credentials. However, the last time I heard of a bank site that had its entire user list with encrypted passwords stolen was years ago. Even the recent Citibank theft wasn't a compromise of this type or magnitude.
Mt. Gox simply wasn't up to the standard needed for a bank, payment processor, or any institution whose primary purpose is handling other people's money. I'm not saying this lightly or to yell at Mt. Gox. Frankly, I think that they were no more guilty of treating bitcoin security cavalierly than the people who wrote the local wallet program that I use. (Otherwise, the wallet would be encrypted by the program.) Further, they notified their users and are doing the right thing now. I wish them luck rebuilding on a better security foundation this time. I'm also not convinced that other web sites used for Bitcoin trading don't have similar flaws. :/ So I will move *very* slowly and carefully when I start trading.
Fair point. You're probably right, the core of the problem is that Bitcoin isn't taken seriously enough, and I agree that that is what really needs to be resolved. I just hope that multiple-step verification could serve as a stepping stone to get some easily implemented security fast, and then the good
Bitcoin websites should get their penetration testing and the like done.
I didn't know about the RSA key break-in; I don't use one myself, but that certainly seems to detract from the stability of that idea. One other way to provide a verification code is a mobile app, which won't cost anything except data if you pay for it, which even so would be minimal. I think that people just want a more secure Bitcoin market now, and maybe this could help.