PSA Email is NOT 2FA on Blockchain.info learn how to secure Bitcoin properly!

[HYPERfuture]

I've had enough of seeing people who have been hacked and lose coins on blockchain.info so here is a guide for beginners to make your coins 100% secure and safe from hackers.

1.) Use a gmail account with google auth 2FA to sign up for your blockchain wallet

2.) Buy a Yubikey (https://www.yubico.com/products/yubikey-hardware/yubikey-2/) and use this for 2FA to further secure your wallet at blockchain. You now have TRUE 2FA on both your wallet and your email account associated to the wallet. You can also recover the private keys to your blockchain wallet via email if you need to recover your wallet in future

3.) Do NOT lose your Yubikey or your google auth code. Back up your google auth code and Yubikey is virtually indestructible so take it everywhere with you and keep it safe.

4.) Do not have too many coins on blockchain.info. They have very good security but they may be internally hacked one day.

5.) For full security for beginners I recommend something like Trezor https://www.bitcointrezor.com/

Do NOT use TOR as rogue nodes may steal your information. This has happened many, many times to many different people!

Remember email is NOT 2FA as it is too easy for your email to become compromised. You MUST use TRUE 2FA like Yubikey at blockchain + google auth on email is a good combo. Even if you do get a keylogger on your PC your coins will be safe but always scan for viruses often and use a professional anti virus suite like Kaspersky.

NOTE: You can also use SMS 2FA on blockchain.info instead of Yubikey but I prefer Yubikey and as some have mentioned below SMS is not entirely secure.

DISCLAIMER: This guide is based on my understanding of these technologies only and I cannot make any guarantees. However if you follow the steps above you will be MUCH MORE secure and protected from most vulnerabilities your average hacker will go for.

[BitCoinDream]

I've had enough of seeing people who have been hacked and lose coins on blockchain.info so here is a guide for beginners to make your coins 100% secure and safe from hackers.

1.) Use a gmail account with google auth 2FA to sign up for your blockchain wallet

2.) Buy a Yubikey (https://www.yubico.com/products/yubikey-hardware/yubikey-2/) and use this for 2FA to further secure your wallet at blockchain. You now have TRUE 2FA on both your wallet and your email account associated to the wallet. You can also recover the private keys to your blockchain wallet via email if you need to recover your wallet in future

3.) Do NOT lose your Yubikey or your google auth code. Back up your google auth code and Yubikey is virtually indestructible so take it everywhere with you and keep it safe.

4.) Do not have too many coins on blockchain.info. They have very good security but they may be internally hacked one day.

5.) For full security for beginners I recommend something like Trezor https://www.bitcointrezor.com/

Remember email is NOT 2FA as it is too easy for your email to become compromised. You MUST use TRUE 2FA like Yubikey at blockchain + google auth on email is a good combo. Even if you do get a keylogger on your PC your coins will be safe but always scan for viruses often and use a professional anti virus suite like Kaspersky.

NOTE: You can also use SMS 2FA on blockchain.info instead of Yubikey but I prefer Yubikey.

DISCLAIMER: This guide is based on my understanding of these technologies only and I cannot make any guarantees. However if you follow the steps above you will be MUCH MORE secure and protected from most vulnerabilities your average hacker will go for.

2FA is not the best way to secure your coins, especially if u r using SMS authentication.

Anyone using SMS based 2FA is just begging to have their BTC stolen; hackers can easily social engineer your telecom to forward your number.

Source: https://twitter.com/wiz/status/528806600941662209

[anshar]

I've had enough of seeing people who have been hacked and lose coins on blockchain.info so here is a guide for beginners to make your coins 100% secure and safe from hackers.

1.) Use a gmail account with google auth 2FA to sign up for your blockchain wallet

2.) Buy a Yubikey (https://www.yubico.com/products/yubikey-hardware/yubikey-2/) and use this for 2FA to further secure your wallet at blockchain. You now have TRUE 2FA on both your wallet and your email account associated to the wallet. You can also recover the private keys to your blockchain wallet via email if you need to recover your wallet in future

3.) Do NOT lose your Yubikey or your google auth code. Back up your google auth code and Yubikey is virtually indestructible so take it everywhere with you and keep it safe.

4.) Do not have too many coins on blockchain.info. They have very good security but they may be internally hacked one day.

5.) For full security for beginners I recommend something like Trezor https://www.bitcointrezor.com/

Remember email is NOT 2FA as it is too easy for your email to become compromised. You MUST use TRUE 2FA like Yubikey at blockchain + google auth on email is a good combo. Even if you do get a keylogger on your PC your coins will be safe but always scan for viruses often and use a professional anti virus suite like Kaspersky.

NOTE: You can also use SMS 2FA on blockchain.info instead of Yubikey but I prefer Yubikey.

DISCLAIMER: This guide is based on my understanding of these technologies only and I cannot make any guarantees. However if you follow the steps above you will be MUCH MORE secure and protected from most vulnerabilities your average hacker will go for.

2FA is not the best way to secure your coins, especially if u r using SMS authentication.

Anyone using SMS based 2FA is just begging to have their BTC stolen; hackers can easily social engineer your telecom to forward your number.

Source: https://twitter.com/wiz/status/528806600941662209

But they would need to know your number in the first place.

How is this possible? Do sites state your number?

[BitCoinDream]

I've had enough of seeing people who have been hacked and lose coins on blockchain.info so here is a guide for beginners to make your coins 100% secure and safe from hackers.

1.) Use a gmail account with google auth 2FA to sign up for your blockchain wallet

2.) Buy a Yubikey (https://www.yubico.com/products/yubikey-hardware/yubikey-2/) and use this for 2FA to further secure your wallet at blockchain. You now have TRUE 2FA on both your wallet and your email account associated to the wallet. You can also recover the private keys to your blockchain wallet via email if you need to recover your wallet in future

3.) Do NOT lose your Yubikey or your google auth code. Back up your google auth code and Yubikey is virtually indestructible so take it everywhere with you and keep it safe.

4.) Do not have too many coins on blockchain.info. They have very good security but they may be internally hacked one day.

5.) For full security for beginners I recommend something like Trezor https://www.bitcointrezor.com/

Remember email is NOT 2FA as it is too easy for your email to become compromised. You MUST use TRUE 2FA like Yubikey at blockchain + google auth on email is a good combo. Even if you do get a keylogger on your PC your coins will be safe but always scan for viruses often and use a professional anti virus suite like Kaspersky.

NOTE: You can also use SMS 2FA on blockchain.info instead of Yubikey but I prefer Yubikey.

DISCLAIMER: This guide is based on my understanding of these technologies only and I cannot make any guarantees. However if you follow the steps above you will be MUCH MORE secure and protected from most vulnerabilities your average hacker will go for.

2FA is not the best way to secure your coins, especially if u r using SMS authentication.

Anyone using SMS based 2FA is just begging to have their BTC stolen; hackers can easily social engineer your telecom to forward your number.

Source: https://twitter.com/wiz/status/528806600941662209

But they would need to know your number in the first place.

How is this possible? Do sites state your number?

Social engineering is the way

[Moonpig]

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

[HYPERfuture]

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

You cannot think of email as 2FA. All it takes is a keylogger or virus to get your password and bye bye Bitcoins. Never rely on email for so-called 2FA!

[BitCoinDream]

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

You cannot think of email as 2FA. All it takes is a keylogger or virus to get your password and bye bye Bitcoins. Never rely on email for so-called 2FA!

So, it seems, neither email nor sms is good for 2FA. Better dont use 2FA. Create an offline wallet for cold storage.

[HYPERfuture]

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

You cannot think of email as 2FA. All it takes is a keylogger or virus to get your password and bye bye Bitcoins. Never rely on email for so-called 2FA!

So, it seems, neither email nor sms is good for 2FA. Better dont use 2FA. Create an offline wallet for cold storage.

Yes well that is why I recommend Yubikey in my guide.

[1986]

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

You cannot think of email as 2FA. All it takes is a keylogger or virus to get your password and bye bye Bitcoins. Never rely on email for so-called 2FA!

You can. It still provides an extra layer. Plus, my 2-factor email goes to an address I only check on my phone so it's safe and completly unlinked to my computer.

[HYPERfuture]

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

You cannot think of email as 2FA. All it takes is a keylogger or virus to get your password and bye bye Bitcoins. Never rely on email for so-called 2FA!

You can. It still provides an extra layer. Plus, my 2-factor email goes to an address I only check on my phone so it's safe and completly unlinked to my computer.

If your email has 2FA as well like I recommend then it is much more secure. However email without 2FA it doesn't provide an extra layer at all as if someone has your email they can reset your wallet password. However you should also have another form of 2FA (like Yubikey) on your online wallet as well. Then you have double 2FA and less chance of you becoming the next horror story.

[BitCoinDream]

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

You cannot think of email as 2FA. All it takes is a keylogger or virus to get your password and bye bye Bitcoins. Never rely on email for so-called 2FA!

You can. It still provides an extra layer. Plus, my 2-factor email goes to an address I only check on my phone so it's safe and completly unlinked to my computer.

Your phone is more secure than computer because they are not linked ? U must be a funny guy. Ur security is just awaiting to get broken... AMEN

[HYPERfuture]

Email still is 2-factor though it is easier to compromise, but I would recommend using the sms 2-factor if you can. Much safer.

You cannot think of email as 2FA. All it takes is a keylogger or virus to get your password and bye bye Bitcoins. Never rely on email for so-called 2FA!

You can. It still provides an extra layer. Plus, my 2-factor email goes to an address I only check on my phone so it's safe and completly unlinked to my computer.

Your phone is more secure than computer because they are not linked ? U must be a funny guy. Ur security is just awaiting to get broken... AMEN

This is why I like Yubikey and recommend it

[btchris]

Not to put too fine a point on it, but blockchain.info doesn't support any (decent) 2FA.

Logon-only 2FA (such as supported by Blockchain.info) does help protect against online password brute-forcing attacks, but it does practically nothing to help protect against malware (e.g. keyloggers), which seem to be the more ominous threat.

Per-transaction 2FA (such as supported by GreenAddress.it and BitGo.com) means that each transaction that sends bitcoin out of your wallet must use a new 2FA code. This type of 2FA offers very effective protection against malware (although it's not necessarily perfect).

You should keep all this in mind when weighing your wallet options....

[HYPERfuture]

Not to put too fine a point on it, but blockchain.info doesn't support any (decent) 2FA.

Logon-only 2FA (such as supported by Blockchain.info) does help protect against online password brute-forcing attacks, but it does practically nothing to help protect against malware (e.g. keyloggers), which seem to be the more ominous threat.

Per-transaction 2FA (such as supported by GreenAddress.it and BitGo.com) means that each transaction that sends bitcoin out of your wallet must use a new 2FA code. This type of 2FA offers very effective protection against malware (although it's not necessarily perfect).

You should keep all this in mind when weighing your wallet options....

You have heard of Yubikey right? That protects against keyloggers and is used on blockchain. But as I say you should not store large amounts of coins on ANY online wallet.

[Foxpup]

Email still is 2-factor

It isn't. For reference, true two factor authentication means having any two of the following factors:

* What you know (usernames and passwords)
* What you have (mobile phone, security tokens)
* What you are (fingerprints, iris/retina patterns, etc)

Email access is always the first factor only, unless you email account itself uses 2FA. This is bad because the first factor is what is compromised by keyloggers (which is the whole reason for using 2FA in the first place). If you have a keylogger, your email is almost certainly compromised, and is thus useless as a form of authentication.

[btchris]

Not to put too fine a point on it, but blockchain.info doesn't support any (decent) 2FA.

Logon-only 2FA (such as supported by Blockchain.info) does help protect against online password brute-forcing attacks, but it does practically nothing to help protect against malware (e.g. keyloggers), which seem to be the more ominous threat.

Per-transaction 2FA (such as supported by GreenAddress.it and BitGo.com) means that each transaction that sends bitcoin out of your wallet must use a new 2FA code. This type of 2FA offers very effective protection against malware (although it's not necessarily perfect).

You should keep all this in mind when weighing your wallet options....

You have heard of Yubikey right? That protects against keyloggers and is used on blockchain. But as I say you should not store large amounts of coins on ANY online wallet.

Unfortunately, it's not that simple (and it's a bit misleading IMO).

When you log into Blockchain.info (even if you use good 2FA such as Yubikey), the private keys for your wallet are sent to your computer. This means that your computer (and any decent malware that's running on it) has access to those private keys, and can use them to relieve you of any funds.

By default, Blockchain.info doesn't save those private keys to disk (if you have 2FA enabled), and that does protect you against stupid malware, but it remains much less secure than per-transaction 2FA used by multisig wallets (where only a portion of the necessary key material is ever on your computer and available for malware to abuse).

[wadili89]

How does one backup a google auth code? I didnt see a easy way.

I use the IP lock along with other measures.

[HYPERfuture]

Not to put too fine a point on it, but blockchain.info doesn't support any (decent) 2FA.

Logon-only 2FA (such as supported by Blockchain.info) does help protect against online password brute-forcing attacks, but it does practically nothing to help protect against malware (e.g. keyloggers), which seem to be the more ominous threat.

Per-transaction 2FA (such as supported by GreenAddress.it and BitGo.com) means that each transaction that sends bitcoin out of your wallet must use a new 2FA code. This type of 2FA offers very effective protection against malware (although it's not necessarily perfect).

You should keep all this in mind when weighing your wallet options....

You have heard of Yubikey right? That protects against keyloggers and is used on blockchain. But as I say you should not store large amounts of coins on ANY online wallet.

Unfortunately, it's not that simple (and it's a bit misleading IMO).

When you log into Blockchain.info (even if you use good 2FA such as Yubikey), the private keys for your wallet are sent to your computer. This means that your computer (and any decent malware that's running on it) has access to those private keys, and can use them to relieve you of any funds.

By default, Blockchain.info doesn't save those private keys to disk (if you have 2FA enabled), and that does protect you against stupid malware, but it remains much less secure than per-transaction 2FA used by multisig wallets (where only a portion of the necessary key material is ever on your computer and available for malware to abuse).

Ahh good to know. Thank you. Seems like Trezor is the way to go then.

[btchris]

How does one backup a google auth code? I didnt see a easy way.

I use the IP lock along with other measures.

See over here, in particular the posts by DeathAndTaxes and the ones that mention TitaniumBackup (root only).

[fast2fix]

How does one backup a google auth code? I didnt see a easy way.

I use the IP lock along with other measures.

better use authy as 2fa you don't have to worry about backups.