Get via App Store Read this post in our app!
Which Two-factor authentication methods are available at which exchanges?
I see that Mt. Gox now supports the Google Authenticator app (on Android, iOS – iPhone, iPad, iPod Touch, and on Blackberry) for 2-factor authentication (in addition to support for Yubikey, of course).
What are all the various 2-factor (also referred to as multi-factor) methods available for Bitcoin-related sites (exchanges, eWallets, mining pools, other services, etc.)?
Bitcoin Currency Exchanges:
- Mt. Gox: OTP using YubiKey or Google Authenticator
- Options: [On Login] | [For WIthdrawals] | [For Changes To Security]
- Camp BX: OTP/Google Authenticator
- Bitstamp: OTP/Google Authenticator
- Bitcoin-24: OTP using Google Authenticator and for withdrawal SMS messaging
- Bitcoin-otc: GPG authentication with gribble bot
- BitMarket.eu: OTP/Google Authenticator
- Coinbase – OTP/Authy or OTP/Google Authenticator
- FYB-SG (Singapore) – OTP/Google Authenticator
- VirWoX – OTP/Google Authenticator
- WeExchange.co – OTP/Google Authenticator
- BTC-E – OTP/Google Authenticator
- Local Bitcoins – OTP/Google Authenticator
- bitcoin.de – OTP/Google Authenticator or Yubikey (but not Mt. Gox Yubikey)
- Blockchain.info/wallet – Google Authenticator, e-mail verification, SMS, and YubiKey (but not Mt. Gox YubiKey).
- WalletBit – SecureCard (or perhaps OTP/Google Auth has been added now?)
- Coinbase – SMS text messaging-based two-factor, Authy (Android/iOS app similar to Google’s)
- Paytunia – OTP/Google Authenticator or Yubikey (but not Mt. Gox Yubikey)
- bitZino – OTP/Google Authenticator
- Just-Dice – OTP/Google Authenticator
Disclaimer: I work for 2FA company CryptoPhoto
Google Authenticator does not save you from phishing or MitM/MitB or malware like NeverQuest, Hesperbot, Zeus, Ice IX, Bugat V2, Carberp, Citadel, Syscron, SpyEye, etc – or any APTs at all.
Google Authenticator (GA) is not open source (only same antique version no longer in use ever got released)
They store their bypass codes in plaintext on the server (any serverside break-in grants the attacker full ability to authenticate as you)
Their bypass codes have insanely low entropy (7 numeric digits only – guessable in a mere 5 million attempts on average)
Their app provides QR code enrollment – and the QR codes are generated by putting your (supposed to be secret) private key into the HTTP GET parameter of a google-owned URL: or in other words – regardless of where you enroll with GA, they’re sending your private keys to google.
“HTTP GET” parameters get stored in log files (granting access to your secret keys to anyone who can get the logs – such as by hacking, or legal subpoenas, or intercept)
The GA app uses a 3rd party QR code scanner to read your secret keys. This 3rd party tool is a supermarket barcode app, designed to send all scanned codes to their server. This is all “closed source”, so it’s impossible to tell if they’re recording your secret keys. Even if they’re not, the author (which is not Google, and not under their control) merely has to make an update to grab GA keys if he wants.
GA uses TOTP, which works with “shared secrets”. This is a horrifying mistake. Again – anyone who can crack either end of the channel can forever impersonate the other end (read: a serverside breakin can own your client side auth). I am gobsmacked google were so stupid on this one. Asymmetric crypto was invented to stop that kind of problem – did they choose not to use it on purpose ?
In the limited source that’s available, there is a race-condition error in their brute-force-prevention code: you’re supposed to only be able to guess 3 codes, but if you open 2+ channels for guessing, only 1 of those channels gets blocked – all the other ones can keep on indefinitely guessing new codes without getting blocked.
And of course – to state the bleeding obvious – most of the exchanges that have already been looted were also “protected” by GA, with many of the victim operators publicly announcing that the hackers just bypassed it.
It’s cool that GA costs nothing, but that’s pretty much all it’s worth!
They use 2 Factor ID at ZIGGAP which I found to be one of the best new exchanges out there.