Re: Blockchain.info - Bitcoin Block explorer & Currency Statistics
(Yet Another) Feature Suggestion would it possible for blockchain.info to include an option in account settings, that when enabled, the user would be asked for 2FA (email, sms, gauth, yubikey, etc.) also upon trying to withdraw BTC (with the ability to set up a daily transaction threshold (in BTC of fiat), above which the user would be asked for 2FA)?
This would protect people from some more sophisticated malware that waits till the user logs in with his credentials and 2FA, and only then sends funds to the attacker's address.
There is still a possibility that the attacker could wait till the user tries to make a transaction and would replace the user-specified address with his own one. To protect against this, people who have SMS or email as 2FA (hopefully accessing the email account from a different device) could get transaction information about the addresses that are involved along with the code.
It would be also nice to be able to set ranges of IP addresses from which the user should be allowed to log in (for those with dynamic IP addresses).
I'll also post this here again in case piuk last time missed it:
I'll pass this suggestion along, but in the meantime you can use a different QR scanner app to get a copy of the secret key. If you ever need to reset two factor authentication, then you can just submit a 2FA reset request. We usually process these within 12-24 hours max (I check them multiple times a day).
Yes, please print a text version of the key, it would be very convenient for users with older phones for which there are alternative Gauth implementations but none of them can scan QR codes. Other QR scanning apps are also problematic to work with.
This would protect people from some more sophisticated malware that waits till the user logs in with his credentials and 2FA, and only then sends funds to the attacker's address.
There is still a possibility that the attacker could wait till the user tries to make a transaction and would replace the user-specified address with his own one. To protect against this, people who have SMS or email as 2FA (hopefully accessing the email account from a different device) could get transaction information about the addresses that are involved along with the code.
It would be also nice to be able to set ranges of IP addresses from which the user should be allowed to log in (for those with dynamic IP addresses).
I'll also post this here again in case piuk last time missed it:
Minor feature request: Please print out a text version of the TOTP secret key below the qr code image on the two factor authentication settings page.
I'll pass this suggestion along, but in the meantime you can use a different QR scanner app to get a copy of the secret key. If you ever need to reset two factor authentication, then you can just submit a 2FA reset request. We usually process these within 12-24 hours max (I check them multiple times a day).
Yes, please print a text version of the key, it would be very convenient for users with older phones for which there are alternative Gauth implementations but none of them can scan QR codes. Other QR scanning apps are also problematic to work with.