Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Securities
Re: [BTC-TC] Virtual Community Exchange w/ Options, DRIP, 2FA, API, CSV, etc.
by
burnside
on 08/07/2013, 08:52:17 UTC
Quote from: Rannasha on July 07, 2013, 07:00:57 PM
Quote from: btharper on July 07, 2013, 06:31:46 PM
Quote from: Lohoris on July 07, 2013, 05:55:39 PM
Quote from: EskimoBob on July 07, 2013, 05:33:35 PM
... and this is exactly why I do not like this at all. I still need to have 2 or more computers.
That's, like, the whole point of 2FA.
I'd say using a separate program on the same machine offers some additional security over not using it at all. A simple keylogger won't compromise your account anymore, though anything that can just read the 2FA files can, but I'd hope those are less common so far.

Yeah, you do gain additional security, since many keyloggers just grab as many passwords on autopilot and that's it. However, if someone is specifically targeting you or uses a more advanced keylogger, they can access the 2FA program just as easily as your password.

Running a 2FA program on your main machine is a bit like using a Mac for security: It's not inherently more secure, but since it's less targeted by attackers, your chance of getting hit is reduced.

Yubikeys and old phones are cheap and readily available.  An old phone doesn't even need cellular service.  Just wifi to get the app installed and once it's installed, it doesn't even need that except to occasionally sync the time.  I think we're in a good place security-wise.  Where we could improve:

- One-time use form tokens.  These also prevent double button press form submission issues.  (90% done, it's in testing now.)
- 2FA input in a few places that don't already have it.  (most places that don't are not particularly sensitive.)
- Require 2FA to use the site.  Essentially no trading would be allowed until 2FA was turned on.  (still thinking this one over.)

Cheers.