Bitcoin Forum
December 04, 2016, 04:14:00 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: 2 factor auth for the bitcoin client ?  (Read 2633 times)
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
July 12, 2012, 02:47:29 AM
 #1

I searched for this but couldnt find it. Im in the habit of setting up 2 factor auth on any bitcoin service that I use and was wondering if this is something the bitcoin client itself would ever support ?

I think this one feature would cut down a lot of theft and if your wallet required it even if a hacker got your wallet they still need your 2 factor device to use it. It might save a lot of lost coins.

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480824840
Hero Member
*
Offline Offline

Posts: 1480824840

View Profile Personal Message (Offline)

Ignore
1480824840
Reply with quote  #2

1480824840
Report to moderator
Stephen Gornick
Legendary
*
Offline Offline

Activity: 1988



View Profile
July 12, 2012, 03:54:20 AM
 #2

I think this one feature would cut down a lot of theft and if your wallet required it even if a hacker got your wallet they still need your 2 factor device to use it. It might save a lot of lost coins.



 - http://thejeshgn.com/2012/06/11/pyg2fa-python-library-google-authenticator-with-web-app/

One time passwords (OTP) are useful for protecting against replay attacks, such as what might occur on a compromised system that has a malware keylogger.

But to support this, the Bitcoin.org client would need to know the key.  If that key were stored on the filesystem or in the database it would need to be stored unencrypted.  So if the attacker has access to the database then the attacker has access to the key.   If the key weren't stored, and instead the user were prompted for the key, that would be something vulnerable to a replay attack.  So you really don't get much benefit from adding OTP to the Bitcoin.org client.

Now, a Yubikey can still be useful with the Bitcoin.org client though.  Although this has nothing to do with two-factor authentication, I see the Yubikey also supports a static password capability.   So if I understand Yubikey's documentation correctly, you could use the Yubikey in this static password mode when using the BItcoin.org client's wallet encryption.  You simply have Yubikey provide the passphrase used to encrypt the keys and then use the Yubikey each time the client asks for the passphrase (e.g., to add a new address or to send a payment).    I see the Yubikey support dual mode capability meaning you can use it for both a TOTP purpose and for a static password purpose as well.  I don't know if the Yubikey's from Mt. Gox still have this capability as those are modified Yubikeys.

Meni Rosenfeld
Donator
Legendary
*
Offline Offline

Activity: 1890



View Profile WWW
July 12, 2012, 03:58:39 AM
 #3

This will be possible eventually using multi-signature transactions.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
July 12, 2012, 06:00:42 AM
 #4

I think this one feature would cut down a lot of theft and if your wallet required it even if a hacker got your wallet they still need your 2 factor device to use it. It might save a lot of lost coins.



 - http://thejeshgn.com/2012/06/11/pyg2fa-python-library-google-authenticator-with-web-app/

One time passwords (OTP) are useful for protecting against replay attacks, such as what might occur on a compromised system that has a malware keylogger.

But to support this, the Bitcoin.org client would need to know the key.  If that key were stored on the filesystem or in the database it would need to be stored unencrypted.  So if the attacker has access to the database then the attacker has access to the key.   If the key weren't stored, and instead the user were prompted for the key, that would be something vulnerable to a replay attack.  So you really don't get much benefit from adding OTP to the Bitcoin.org client.

Now, a Yubikey can still be useful with the Bitcoin.org client though.  Although this has nothing to do with two-factor authentication, I see the Yubikey also supports a static password capability.   So if I understand Yubikey's documentation correctly, you could use the Yubikey in this static password mode when using the BItcoin.org client's wallet encryption.  You simply have Yubikey provide the passphrase used to encrypt the keys and then use the Yubikey each time the client asks for the passphrase (e.g., to add a new address or to send a payment).    I see the Yubikey support dual mode capability meaning you can use it for both a TOTP purpose and for a static password purpose as well.  I don't know if the Yubikey's from Mt. Gox still have this capability as those are modified Yubikeys.

Interesting way to do it.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!