CreationLayer (OP)
Member
Offline
Activity: 101
Merit: 10
|
|
March 12, 2015, 03:20:11 AM |
|
I've seen more movement in the space, and I wonder what is the most secure, or preferred two-factor solution for Bitcoin based accounts.
I suppose multi-sig transactions are a form of 2fa, would it be possible to make the process more fluid?
Would it be possible to actually use smart contracts with a two factor mechanism?
Do you trust Google 2fa or SMS based 2fa?
Do you think it's possible to create a more secure solution that is not centralized, or centralized is the way to go?
|
|
|
|
EcuaMobi
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
March 12, 2015, 03:45:37 AM |
|
I've seen more movement in the space, and I wonder what is the most secure, or preferred two-factor solution for Bitcoin based accounts.
I suppose multi-sig transactions are a form of 2fa, would it be possible to make the process more fluid?
Would it be possible to actually use smart contracts with a two factor mechanism?
Do you trust Google 2fa or SMS based 2fa?
Do you think it's possible to create a more secure solution that is not centralized, or centralized is the way to go?
At the moment I use Google Authenticator. I think it's good enough. However I would like to see a non-centralized solution. For example having a BTC private key on the mobile, have the website or site generate a random text and signing it with the mobile. Of course a modification would be required to keep the final signature short.
|
|
|
|
dsattler
Legendary
Offline
Activity: 924
Merit: 1000
|
|
March 12, 2015, 07:41:10 AM |
|
I don't trust 2-factor security for large transactions, because of the centralized service involved. Looking into multi-sig solutions ATM, maybe that's the future.
I recommend offline signage with Armory or Trezor!
|
Bitcointalk member since 2013!
|
|
|
Amph
Legendary
Offline
Activity: 3248
Merit: 1070
|
|
March 12, 2015, 08:04:41 AM |
|
2fa google one, should be your best choice
personally i like the one with the code, which work on older phone also
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
March 12, 2015, 02:45:15 PM Last edit: March 12, 2015, 02:58:34 PM by DeathAndTaxes |
|
It depends on what you mean by 'decentralized'. There is no need for an 2FA to be decentralized because it involves two parties (user & server) who can communicate directly. I assume you mean without a third party. Google authenticator is based on an open standard. The app is simply a 'OTP calculator'. It doesn't communicate with any third party server. Likewise the website or service which is using google authenticator also doesn't need to use any third party service. They have the same 'seed' and using the same open source algorithm can generate the same code to verify the code you provide is correct.
It would be nice if there was an open source equivelent for the mobile app. Maybe one exists? I am not sure.
|
|
|
|
dsattler
Legendary
Offline
Activity: 924
Merit: 1000
|
|
March 12, 2015, 04:30:20 PM |
|
It depends on what you mean by 'decentralized'. There is no need for an 2FA to be decentralized because it involves two parties (user & server) who can communicate directly. I assume you mean without a third party. Google authenticator is based on an open standard. The app is simply a 'OTP calculator'. It doesn't communicate with any third party server. Likewise the website or service which is using google authenticator also doesn't need to use any third party service. They have the same 'seed' and using the same open source algorithm can generate the same code to verify the code you provide is correct.
It would be nice if there was an open source equivelent for the mobile app. Maybe one exists? I am not sure.
"Decentralized" means for me "on the blockchain". Someone has to verify my google authenticator code, that's the server involved here.
|
Bitcointalk member since 2013!
|
|
|
EcuaMobi
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
March 12, 2015, 04:32:13 PM |
|
It depends on what you mean by 'decentralized'. There is no need for an 2FA to be decentralized because it involves two parties (user & server) who can communicate directly. I assume you mean without a third party. Google authenticator is based on an open standard. The app is simply a 'OTP calculator'. It doesn't communicate with any third party server. Likewise the website or service which is using google authenticator also doesn't need to use any third party service. They have the same 'seed' and using the same open source algorithm can generate the same code to verify the code you provide is correct.
It would be nice if there was an open source equivelent for the mobile app. Maybe one exists? I am not sure.
"Decentralized" means for me "on the blockchain". Someone has to verify my google authenticator code, that's the server involved here. We're talking about 2FA to log-in to a server, right? And that same server is the one verifying whether our 2FA code is OK. How could that be prevented? How can the server know if the code is OK without verifying it itself?
|
|
|
|
dsattler
Legendary
Offline
Activity: 924
Merit: 1000
|
|
March 12, 2015, 04:37:38 PM |
|
It depends on what you mean by 'decentralized'. There is no need for an 2FA to be decentralized because it involves two parties (user & server) who can communicate directly. I assume you mean without a third party. Google authenticator is based on an open standard. The app is simply a 'OTP calculator'. It doesn't communicate with any third party server. Likewise the website or service which is using google authenticator also doesn't need to use any third party service. They have the same 'seed' and using the same open source algorithm can generate the same code to verify the code you provide is correct.
It would be nice if there was an open source equivelent for the mobile app. Maybe one exists? I am not sure.
"Decentralized" means for me "on the blockchain". Someone has to verify my google authenticator code, that's the server involved here. We're talking about 2FA to log-in to a server, right? And that same server is the one verifying whether our 2FA code is OK. How could that be prevented? How can the server know if the code is OK without verifying it itself? Multi-sig verification relies on the blockchain. 2-factor verification only relies on a server granting access (like blockchain.info), so you have to give up the control over your precious bitcoins.
|
Bitcointalk member since 2013!
|
|
|
EcuaMobi
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
March 12, 2015, 04:40:34 PM |
|
Multi-sig verification relies on the blockchain. 2-factor verification only relies on a server granting access (like blockchain.info), so you have to give up the control over your precious bitcoins.
It seems we all agree here. We just need to know what exactly OP meant with this question, otherwise we're interpreting it differently.
|
|
|
|
laurentmt
|
|
March 12, 2015, 06:09:35 PM |
|
At the moment I use Google Authenticator. I think it's good enough.
However I would like to see a non-centralized solution. For example having a BTC private key on the mobile, have the website or site generate a random text and signing it with the mobile. Of course a modification would be required to keep the final signature short.
You may be interested by this demo. It's a PoC for 2FA implemented with BitId as a second factor (login/password as first factor). Note that we could also have a schema in which all credentials are Bitid (and get rid of the login/password)
|
|
|
|
btchris
|
|
March 12, 2015, 11:01:43 PM |
|
It would be nice if there was an open source equivelent for the mobile app. Maybe one exists? I am not sure.
FreeOTP (which is OSS) is available for both Android and iOS: https://fedorahosted.org/freeotp/. I've been using it for a little less than a year now with no problems. It is maintained by a Red Hat employee (I'm not clear if it's actually sponsored by Red Hat, not that it matters to me).
|
|
|
|
funtotry
Sr. Member
Offline
Activity: 420
Merit: 250
Ever wanted to run your own casino? PM me for info
|
|
March 12, 2015, 11:05:45 PM |
|
Don't know if this counts but the MOST secure would probably be address signing. Site asks you to sign your username with the current timestamp (in seconds) and if it verifies they let you through. Quite a hassle opening your wallet and signing everytime you want to login.
|
|
|
|
EcuaMobi
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
March 12, 2015, 11:14:18 PM |
|
Don't know if this counts but the MOST secure would probably be address signing. Site asks you to sign your username with the current timestamp (in seconds) and if it verifies they let you through. Quite a hassle opening your wallet and signing everytime you want to login.
Yes that was my first suggestion. It's a hassle as things are now. But it could work with some changes. For example: - User has the private key stored on the mobile on an app with QR Code scanning capabilities - The website shows a QR Code with the user's username and date, plus a base URL ( https://example.com/2fa/?session=sessionID&signature=) - The user scans that QR Code with the app. - The app signs the message (optionally asks for the password if the private key is encrypted) and calls the provided URL ( https://example.com/2fa/?session=sessionID&signature=abcSignatureHere[/b]) - The website detects username posted his signature and let's the user log in This is just a basic idea. But this way there would be no typing required, would be very fast and the actual private key would never be sent anywhere.
|
|
|
|
lucasjkr
|
|
March 12, 2015, 11:17:49 PM |
|
It's impossible to say what the "best" TFA is.... It's a part of a system where if one part breaks, the whole thing is for nothing... To label one "the best" without looking at the other pieces is impossible... Moreso because we only see closed solutions (closed source apps, closed source hardware, etc), so we can only guess as to how good the RNG's involved are...
|
|
|
|
domob
Legendary
Offline
Activity: 1135
Merit: 1170
|
|
March 13, 2015, 06:53:22 AM |
|
Don't know if this counts but the MOST secure would probably be address signing. Site asks you to sign your username with the current timestamp (in seconds) and if it verifies they let you through. Quite a hassle opening your wallet and signing everytime you want to login.
This is what NameID (see my signature) does, although with Namecoin addresses instead of Bitcoin (since Namecoin gives a natural correspondence between "usernames" and addresses).
|
Use your Namecoin identity as OpenID: https://nameid.org/Donations: 1 domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NC domobcmcmVdxC5yxMitojQ4tvAtv99pY BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS | GPG 0xA7330737
|
|
|
EcuaMobi
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
March 13, 2015, 01:22:20 PM |
|
Don't know if this counts but the MOST secure would probably be address signing. Site asks you to sign your username with the current timestamp (in seconds) and if it verifies they let you through. Quite a hassle opening your wallet and signing everytime you want to login.
This is what NameID (see my signature) does, although with Namecoin addresses instead of Bitcoin (since Namecoin gives a natural correspondence between "usernames" and addresses). I didn't know about this. I will definitely check it. Thanks for sharing. I know Namecoin makes sense because of the name part but probably it'd be worth implementing it with bitcoin so it's more popular.
|
|
|
|
CreationLayer (OP)
Member
Offline
Activity: 101
Merit: 10
|
|
March 13, 2015, 09:05:22 PM |
|
Multi-sig verification relies on the blockchain. 2-factor verification only relies on a server granting access (like blockchain.info), so you have to give up the control over your precious bitcoins.
It seems we all agree here. We just need to know what exactly OP meant with this question, otherwise we're interpreting it differently. Polling the community to see what people prefer to use for 2fa, I've been curious as to what the community thinks is their preferred solution, while there is no best persey, each situation is different just gauging what others think.
|
|
|
|
J-Dog
Newbie
Offline
Activity: 7
Merit: 50
|
|
March 13, 2015, 09:42:52 PM |
|
I actually just finished integrating Clef ( https://getclef.com/) into one of my sites ( https://CoinDaddy.io) to handle 2-factor authentications and it works great! Previously I was using gauthify.com and paying like $25/mo for the service. The Clef service is 100% free for companies to use for login authentication... I think you only pay if you want some premium features. Also the fact that your able to register on a site, or login to a site simply by scanning the screen with your phone is way faster than typing out registration/login details. Not to mention the wave login page looks wicked cool... no more boring qrcodes or typing google authenticator codes. The staff was also really friendly. I signed up as a developer and within a few minutes I had an email from a company staff member offering help with the integration, which only took a few minutes. They helped test the integration and have been nothing but highly professional. If anyone is looking for some good/cheap/secure 2FA authentication for their website, I would highly suggest getclef.com And no... this is not a paid shill account.. I just created this account a few minutes ago because I don't use this forum very often and can't remember the password to my old account. J-Dog
|
|
|
|
oraclechain
Newbie
Offline
Activity: 5
Merit: 0
|
|
March 13, 2015, 10:35:56 PM |
|
CoinDaddy looks awesome Jdog
|
|
|
|
gentlemand
Legendary
Offline
Activity: 2590
Merit: 3014
Welt Am Draht
|
|
March 18, 2015, 11:51:09 PM |
|
I've had plenty of trouble with phone-based 2FA. If it's offered I go with printed one time codes. An oldie but a goldie.
|
|
|
|
|