BitFloor.com Rocks!

[rjk]

Is there a way to use a yubikey with bitfloor?

Or google authenticator.

I don't want to rely on my phone.

Google "JAuth". Works great for me.

Code:

java -jar jauth.jar -secret=INSERT_SECRET_HERE

or

Code:

java -jar jauth.jar secret.txt

[bb113]

Is there a way to use a yubikey with bitfloor?

Or google authenticator.

I don't want to rely on my phone.

Google "JAuth". Works great for me.

Code:

java -jar jauth.jar -secret=INSERT_SECRET_HERE

or

Code:

java -jar jauth.jar secret.txt

I actually haven't used authenticator yet and don't really understand how it works. Do I need to do that before using JAuth?

I downloaded the windows installer from here to mess around with it:
https://github.com/mclamp/JAuth/tree/master/Installers

and it is asking me for "[my] one time key from the RC website"

[rjk]

The one time key is provided to you when you sign up for a service such as GLBSE. It gets stored in your home directory in a file called jauth.rc.

What I do on Windows is create a file called glbse.secret and aws.secret or whatever, and paste the secret key in there. Then, create a shortcut that points to "jauth.exe glbse.secret", and it will load the secret from the file.

You can skip the part in the installer where it asks for a secret. You don't need a phone or Google at all to use it. Backup your secret, and keep it in a Truecrypt volume.

[bb113]

The one time key is provided to you when you sign up for a service such as GLBSE. It gets stored in your home directory in a file called jauth.rc.

What I do on Windows is create a file called glbse.secret and aws.secret or whatever, and paste the secret key in there. Then, create a shortcut that points to "jauth.exe glbse.secret", and it will load the secret from the file.

You can skip the part in the installer where it asks for a secret. You don't need a phone or Google at all to use it. Backup your secret, and keep it in a Truecrypt volume.

And you do this on a different computer than you use to e.g. trade on bitfloor?

[bb113]

Also, bitfloor appears to be down as well. I can't do anything but transfer funds around.

[rjk]

And you do this on a different computer than you use to e.g. trade on bitfloor?

That would be the most secure way to do it, but not required.

[genuise]

Also, bitfloor appears to be down as well. I can't do anything but transfer funds around.

Up for me

[bb113]

Also, bitfloor appears to be down as well. I can't do anything but transfer funds around.

Up for me

I am still getting this. Restarted browser, logged out, etc.

Also, can't place a limit order:

no such profile: order_gateway

or

Property 'detective' of object #<Object> is not a function

To rjk:
I am somewhat confused as to what is going on with JAuth and the readme is not very helpful. Do you have a link to a good guide?

[rjk]

To rjk:
I am somewhat confused as to what is going on with JAuth and the readme is not very helpful. Do you have a link to a good guide?

No I don't know of any good guides. JAuth is meant to be a drop-in replacement for Google Authenticator, so you have to use a service that uses GA. When you enable GA on such a service, it will give you a "secret" which is a string of random characters. You then use JAuth to generate a 6-digit PIN from that secret, which is also Time-based. So they expire ever 30 sec or so. Make sure your system's clock is correct.

[bb113]

Home Directory//.JAuth.rc

Code:

sys.programGroupAllUsers$Boolean=true
secret=THIS-IS-A-DUMMY-SECRET
sys.programGroupDisabled$Boolean=false
sys.languageId=en
sys.programGroupName=JAuth OpenAuth Desktop Client
sys.installationDir=C\:\\Program Files\\JAuth

Ok so right now it is using some algorithm to generate those 6 digit pins from "THIS-IS-A-DUMMY-SECRET" and the current time rounded to the nearest 30 seconds? So I can either change the text there or do what you recommend and open a file consisting of some secret string (key, whatever) using:

Code:

java -jar jauth.jar secret.txt

Or (same thing) create a shortcut pointing to:
"jauth.exe glbse.secret"

If I set up authenticator on bitfloor I will need to input my secret string. If I used google authenticator it would generate a secret string for me which I would then be telling bitfloor. Then when I log in bitfloor will ask me to generate a pin and input it, while at the same time generating one on their end. If these are the same I am able to log in. Also, if I write down the secret provided by google authenticator I can simply input that into JAuth if I lose my phone, which will then generate the 6 digit pin that allows me to log in.

If I only use a computer, should I have the secret.txt file saved only in a truecrypt volume? It seems insecure to have it just out in the open.

[rjk]

Yeah I used GLBSE as an example because I wasn't sure whether bitfloor supported it. Depending on how you want the balance of usability and security to be, you could store it in Truecrypt. You would have to unlock the volume any time you wanted to use it though. Generally, when you set up GA the website such as bitfloor would give you a secret string. You just create a blank text file and paste the secret in there, and then use the text file's name as the only argument to jauth.exe. For instance:

Code:

"C:\Program Files (x86)\JAuth\JAuth.exe" D:\TruecryptStuff\bitfloor.secret.txt

With that example, your truecrypt stuff is mounted at D:

The jauth.rc file is optional, and only used if you don't want to create a custom shortcut to launch with an argument. You could store the secret there, and then no other changes would need to be made.

[bb113]

So there is a trade on gox and now bitfloor started working for me as well.

[bb113]

Yeah I used GLBSE as an example because I wasn't sure whether bitfloor supported it. Depending on how you want the balance of usability and security to be, you could store it in Truecrypt. You would have to unlock the volume any time you wanted to use it though. Generally, when you set up GA the website such as bitfloor would give you a secret string. You just create a blank text file and paste the secret in there, and then use the text file's name as the only argument to jauth.exe. For instance:

Code:

"C:\Program Files (x86)\JAuth\JAuth.exe" D:\TruecryptStuff\bitfloor.secret.txt

With that example, your truecrypt stuff is mounted at D:

The jauth.rc file is optional, and only used if you don't want to create a custom shortcut to launch with an argument. You could store the secret there, and then no other changes would need to be made.

Thanks for your help. One last thing I want to verify though:

Also, if I write down the secret provided by google authenticator I can simply input that into JAuth if I lose my phone, which will then generate the 6 digit pin that allows me to log in.

Is the above true?

[rjk]

Thanks for your help. One last thing I want to verify though:

Also, if I write down the secret provided by google authenticator I can simply input that into JAuth if I lose my phone, which will then generate the 6 digit pin that allows me to log in.

Is the above true?

Yes. The secret is the key to it, and it theoretically should work across several devices and always generate a working OTP. Your clock must be correct since it is a time-based system.

[bb113]

Thanks for your help. One last thing I want to verify though:

Also, if I write down the secret provided by google authenticator I can simply input that into JAuth if I lose my phone, which will then generate the 6 digit pin that allows me to log in.

Is the above true?

Yes. The secret is the key to it, and it theoretically should work across several devices and always generate a working OTP. Your clock must be correct since it is a time-based system.

Sounds good. So to bitfloor: What is the protocol for when I lose my phone and no longer trust my secret key? I like the yubikey because it can simply remain in a safe place.

[ErebusBat]

Thanks for your help. One last thing I want to verify though:

Also, if I write down the secret provided by google authenticator I can simply input that into JAuth if I lose my phone, which will then generate the 6 digit pin that allows me to log in.

Is the above true?

Yes. The secret is the key to it, and it theoretically should work across several devices and always generate a working OTP. Your clock must be correct since it is a time-based system.

Sounds good. So to bitfloor: What is the protocol for when I lose my phone and no longer trust my secret key? I like the yubikey because it can simply remain in a safe place.

Right because something that size can never got lost so that isn't a problem with the yubikey 

[rjk]

Sounds good. So to bitfloor: What is the protocol for when I lose my phone and no longer trust my secret key? I like the yubikey because it can simply remain in a safe place.

I'm assuming you would just log in and disable 2FA, then re-enable it to generate a new OTP.

[bb113]

Thanks for your help. One last thing I want to verify though:

Also, if I write down the secret provided by google authenticator I can simply input that into JAuth if I lose my phone, which will then generate the 6 digit pin that allows me to log in.

Is the above true?

Yes. The secret is the key to it, and it theoretically should work across several devices and always generate a working OTP. Your clock must be correct since it is a time-based system.

Sounds good. So to bitfloor: What is the protocol for when I lose my phone and no longer trust my secret key? I like the yubikey because it can simply remain in a safe place.

Right because something that size can never got lost so that isn't a problem with the yubikey 

I don't travel with it... I have lost/destroyed a good number of phones in my time.

Sounds good. So to bitfloor: What is the protocol for when I lose my phone and no longer trust my secret key? I like the yubikey because it can simply remain in a safe place.

I'm assuming you would just log in and disable 2FA, then re-enable it to generate a new OTP.

From Bitfloor site:

You can setup two factor authentication for your account through Google Authenticator (free Android and iOS app). This provides a higher level of security for your account.

Note: Once two factor authentication has been activated, it will be required to access your account at all times.

[rjk]

Sounds good. So to bitfloor: What is the protocol for when I lose my phone and no longer trust my secret key? I like the yubikey because it can simply remain in a safe place.

I'm assuming you would just log in and disable 2FA, then re-enable it to generate a new OTP.

From Bitfloor site:

You can setup two factor authentication for your account through Google Authenticator (free Android and iOS app). This provides a higher level of security for your account.

Note: Once two factor authentication has been activated, it will be required to access your account at all times.

Right, but if you have backed up the compromised secret, you could use it one last time to log in and disable 2FA. This assumes that disabling it is an option, of course.

[bb113]

Sounds good. So to bitfloor: What is the protocol for when I lose my phone and no longer trust my secret key? I like the yubikey because it can simply remain in a safe place.

I'm assuming you would just log in and disable 2FA, then re-enable it to generate a new OTP.

From Bitfloor site:

You can setup two factor authentication for your account through Google Authenticator (free Android and iOS app). This provides a higher level of security for your account.

Note: Once two factor authentication has been activated, it will be required to access your account at all times.

Right, but if you have backed up the compromised secret, you could use it one last time to log in and disable 2FA. This assumes that disabling it is an option, of course.

Not sure.