Bitcoin Forum
December 08, 2016, 12:20:55 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: [RFC] 2-factor auth for exchanges  (Read 2363 times)
M4v3R
Hero Member
*****
Offline Offline

Activity: 607



View Profile
June 21, 2011, 07:15:43 AM
 #1

In the light of recent events, I'd like to ressurect an idea I had a while ago to make BitMarket.eu even more secure - optional 2-factor auth. I was inspired by Google while thinking about this, because they implemented this with their Google accounts and I use it on a daily basis. And it works great. For those who don't know how Google's implementation work:

- First of all, this is all optional. You are not forced to use 2-step auth.
- When you enable 2-step auth, you have to authorize a device (your phone with special app on it) to use it
- Then, when you decide to log in, the device acts like a token (think SecureID from RSA) that gives you tokens valid for 30 seconds
- So to log in, you have to use BOTH your account password and a token from your authorized device
- There is a fallback mechanism for this - a list of one time passwords that you can print and hide somewhere safe. These will let you log in to your account and make some changes, should you lose or destroy your phone

So I'd like to ask you guys, what do you think of this? I'd like to mimic what Google does, with one exception - I don't want to make a native iOS/Android application, because it would take much time (and I don't own Android devices for testing it). Instead, I'd like to make a web application using HTML5 Local Storage, or even better, something like this to store the token seed. This way it could be platform independent and work for many more users.

I understand that this all could seem difficult and troublesome, but I guess for someone that has more than 10 Bitcoin on my (or your) website, this should be a must to protect his/her wealth.

Oh, and last thing. I am willing to do this work and open source it so every exchange/service can use it to make their website more secure.
1481199655
Hero Member
*
Offline Offline

Posts: 1481199655

View Profile Personal Message (Offline)

Ignore
1481199655
Reply with quote  #2

1481199655
Report to moderator
1481199655
Hero Member
*
Offline Offline

Posts: 1481199655

View Profile Personal Message (Offline)

Ignore
1481199655
Reply with quote  #2

1481199655
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
sakkaku
Member
**
Offline Offline

Activity: 70



View Profile WWW
June 21, 2011, 08:38:17 AM
 #2

Implementing a sms/text code would be better IMO.  A lot of people don't have access to phones with web access, and those that aren't smart phones are lolwebstandards.

13NiQcetcioQj3YwHL1ZWvgQg8eAjkzUdt
Blog/Projects: zxlu.com | syn-multiminer
M4v3R
Hero Member
*****
Offline Offline

Activity: 607



View Profile
June 21, 2011, 09:56:05 AM
 #3

I agree that this would be better, but it would be expiensive too. It would require to charge our users for this which is something we want to avoid.
sakkaku
Member
**
Offline Offline

Activity: 70



View Profile WWW
June 21, 2011, 02:12:03 PM
 #4

You could also implement 2 factor via email.  So long as users are not dumb enough to use the same passwords on their email and the service it would be fairly strong.  Steam started using this.

Another thing to consider is not requiring it for every login.  You could store a long(er) term cookie that authorized that machine for the account, encrypted/hashed ip address + auth.  This could reduce infrastructure costs of any solution you choose.

There also seems to be a lot of 2 factor systems that support OATH (http://www.openauthentication.org/).  There were serveral apps that supported this in the apple app store from a cursory glance.  It is also supported by yubikey (http://www.yubico.com/yubikey).  

13NiQcetcioQj3YwHL1ZWvgQg8eAjkzUdt
Blog/Projects: zxlu.com | syn-multiminer
M4v3R
Hero Member
*****
Offline Offline

Activity: 607



View Profile
June 21, 2011, 03:32:21 PM
 #5

You could also implement 2 factor via email.  So long as users are not dumb enough to use the same passwords on their email and the service it would be fairly strong.  Steam started using this.

Another thing to consider is not requiring it for every login.  You could store a long(er) term cookie that authorized that machine for the account, encrypted/hashed ip address + auth.  This could reduce infrastructure costs of any solution you choose. 

At one point I have thought of this, but email proves to be not bulletproof on us lately. Some of the emails are marked as spam by some providers. So this could create more problems that it would solve. The solution for this would be a good service (SMTP server) for sending emails, with good, trusted SPF records and hopefully cheap. Anyone knows a service like that? Cheesy
Schleicher
Hero Member
*****
Offline Offline

Activity: 630



View Profile
June 21, 2011, 03:34:27 PM
 #6

You could also implement 2 factor via email.  So long as users are not dumb enough to use the same passwords on their email and the service it would be fairly strong.

Not really. If the computer is infected this wouldn't help at all.
You need additional hardware like a phone, a token or a card reader to be secure.
My bank for example is sending a text message to my phone when I want to make a transaction.
This message includes the transaction details and a one time code.

Bitcoin donations: 1H2BHSyuwLP9vqt2p3bK9G3mDJsAi7qChw
rebuilder
Legendary
*
Offline Offline

Activity: 1618



View Profile
June 21, 2011, 05:50:02 PM
 #7

Why complicate things with phones and apps? Just generate lists of single-use keypairs and let people print them out or store them in an encrypted container, whatever they want.

Selling out to advertisers shows you respect neither yourself nor the rest of us.
---------------------------------------------------------------
Too many low-quality posts? Mods not keeping things clean enough? Self-moderated threads let you keep signature spammers and trolls out!
M4v3R
Hero Member
*****
Offline Offline

Activity: 607



View Profile
June 21, 2011, 06:14:57 PM
 #8

@rebuilder: I had a thought about paper lists, but as a fallback mechanism. Printing them on-demand would create a vurnability of its own.
kseistrup
Hero Member
*****
Offline Offline

Activity: 565


Unselfish actions pay back better


View Profile WWW
June 21, 2011, 06:22:13 PM
 #9


I'd like to mimic what Google does, with one exception - I don't want to make a native iOS/Android application, because it would take much time (and I don't own Android devices for testing it).

The Google Authenticator is available as a PAM module for use on unices.  I've been using it for SSH-authentication.  Works great with all programs that uses PAM — no need to code an Android app, as you can simply uses Google's (is there an app for iPhone?  I don't know…).

Cheers,

Klaus Alexander Seistrup
http://about.me/kseistrup
M4v3R
Hero Member
*****
Offline Offline

Activity: 607



View Profile
June 21, 2011, 06:26:13 PM
 #10

Wow, I've did know that. Will investigate this option! Yes, they provide iOS as well as Android clients. Do it fits.
kseistrup
Hero Member
*****
Offline Offline

Activity: 565


Unselfish actions pay back better


View Profile WWW
June 21, 2011, 06:30:27 PM
 #11

Another possibility is GPG/PGP authentication, much the way we do it on the #bitcoin-otc IRC channel.  When you enable 2-factor auth on an exchange you could upload the pubkey you wish to use.  When you have to authenticate yourself you have to sign and upload a unique challenge string that the exchange creates for the session.

Cheers,

Klaus Alexander Seistrup
http://about.me/kseistrup
kseistrup
Hero Member
*****
Offline Offline

Activity: 565


Unselfish actions pay back better


View Profile WWW
June 21, 2011, 06:34:50 PM
 #12

Link to “Two factor user authentication with Google Authenticator” HOWTO.

Klaus Alexander Seistrup
http://about.me/kseistrup
sakkaku
Member
**
Offline Offline

Activity: 70



View Profile WWW
June 21, 2011, 06:46:58 PM
 #13

OATH is the best beta IMO.  The google solution looks hacky.

iPhone clients (incl one that is open source).  There are others that support oath but they are tied into service providers that download profile information and aren't usable outside of their services.

Oath Token: http://code.google.com/p/oathtoken/
DS3 Oath

13NiQcetcioQj3YwHL1ZWvgQg8eAjkzUdt
Blog/Projects: zxlu.com | syn-multiminer
sakkaku
Member
**
Offline Offline

Activity: 70



View Profile WWW
June 21, 2011, 06:48:45 PM
 #14

Another possibility is GPG/PGP authentication, much the way we do it on the #bitcoin-otc IRC channel.  When you enable 2-factor auth on an exchange you could upload the pubkey you wish to use.  When you have to authenticate yourself you have to sign and upload a unique challenge string that the exchange creates for the session.

Cheers,

That sounds entirely complicated and doesn't meet the 2nd factor requirement.

13NiQcetcioQj3YwHL1ZWvgQg8eAjkzUdt
Blog/Projects: zxlu.com | syn-multiminer
kseistrup
Hero Member
*****
Offline Offline

Activity: 565


Unselfish actions pay back better


View Profile WWW
June 21, 2011, 06:58:26 PM
 #15


Another possibility is GPG/PGP authentication, […]

That sounds entirely complicated and doesn't meet the 2nd factor requirement.

I never said it was simple, just that it is a possibility.

How come you think it doesn't meet “the 2nd factor requirement”?.  The steps I see are:

 1. First you log in using the usual username/password combo.
 2. Before you're let into the account, the exchange presents you with a unqiue token.
 3. You sign the token with the previously agreed on key.
 4. The exchange verifies the signature and the token.

Cheers,

Klaus Alexander Seistrup
http://about.me/kseistrup
sakkaku
Member
**
Offline Offline

Activity: 70



View Profile WWW
June 21, 2011, 06:59:52 PM
 #16


Another possibility is GPG/PGP authentication, […]

That sounds entirely complicated and doesn't meet the 2nd factor requirement.

I never said it was simple, just that it is a possibility.

How come you think it doesn't meet “the 2nd factor requirement”?.  The steps I see are:

 1. First you log in using the usual username/password combo.
 2. Before you're let into the account, the exchange presents you with a unqiue token.
 3. You sign the token with the previously agreed on key.
 4. The exchange verifies the signature and the token.

Cheers,

In a compromised machine the hacker has access to both factors (password + private key)

13NiQcetcioQj3YwHL1ZWvgQg8eAjkzUdt
Blog/Projects: zxlu.com | syn-multiminer
kseistrup
Hero Member
*****
Offline Offline

Activity: 565


Unselfish actions pay back better


View Profile WWW
June 21, 2011, 07:03:57 PM
 #17


In a compromised machine the hacker has access to both factors (password + private key)

(I don't store passwords on disk, so a hacker wouldn't have access to my password.)

And if the hacker has your phone, he also pwns your OATH app == 2nd factor requirement not met, using your logic.

Cheers,

Klaus Alexander Seistrup
http://about.me/kseistrup
sakkaku
Member
**
Offline Offline

Activity: 70



View Profile WWW
June 21, 2011, 07:06:23 PM
 #18


In a compromised machine the hacker has access to both factors (password + private key)

(I don't store passwords on disk, so a hacker wouldn't have access to my password.)
http://en.wikipedia.org/wiki/Keystroke_logging

And if the hacker has your phone, he also pwns your OATH app == 2nd factor requirement not met, using your logic.
Then he has to get past a 3rd factor, my pin.

13NiQcetcioQj3YwHL1ZWvgQg8eAjkzUdt
Blog/Projects: zxlu.com | syn-multiminer
kseistrup
Hero Member
*****
Offline Offline

Activity: 565


Unselfish actions pay back better


View Profile WWW
June 21, 2011, 07:09:25 PM
 #19


And if the hacker has your phone, he also pwns your OATH app == 2nd factor requirement not met, using your logic.

Then he has to get past a 3rd factor, my pin.

Come on, dude.  My GPG private key is protected by a long passphrase that I haven't stored anywhere except in my brain circuits.  There's no way an intruder could sign a unique challenge with my private key (except threatening me physically to disclose it, but he could do the same with your PIN).

Cheers,

Klaus Alexander Seistrup
http://about.me/kseistrup
sakkaku
Member
**
Offline Offline

Activity: 70



View Profile WWW
June 21, 2011, 07:11:08 PM
 #20


And if the hacker has your phone, he also pwns your OATH app == 2nd factor requirement not met, using your logic.

Then he has to get past a 3rd factor, my pin.

Come on, dude.  My GPG private key is protected by a long passphrase that I haven't stored anywhere except in my brain circuits.  There's no way an intruder could sign a unique challenge with my private key (except threatening me physically to disclose it, but he could do the same with your PIN).

Cheers,

You are entering it with a keyboard no?  Then software can log it.  Given enough time and resources your solution falls if the hacker gains access to your machine.

13NiQcetcioQj3YwHL1ZWvgQg8eAjkzUdt
Blog/Projects: zxlu.com | syn-multiminer
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!