This is an interesting post, and I am looking into it. However, one thing off the bat, I can't just create any email account and then email from it. You have to email FROM THE EMAIL USED TO OPEN THE ACCOUNT. So, as long as you were the original user to open the account, you should
A) Know what email was used.
B) Be the only one to have access to it.
Here is my problem with the current Bitfinex "security" system:
* Your e-mail account is ONE factor. ONE. Period.
If I get access to the e-mail account you used to sign up at BFX then I can:
* Reset your password.
* E-mail Bitfinex and have them disable your Google OTP.
The whole point of Google OTP is to provide TWO factor security for your account. What we have here is NOT two factor security, we have ONE factor factor security and that one factor is your e-mail account.
This means that your Bitfinex account is ONLY protected as well as your e-mail account is protected. If you, for example, signed up using a GMail account and use that with Bitfinex then everyone at Google can take control over your Bitfinex account.
Think about this: Why even bother ask for a password and OTP when you login at Bitfinex? Bitfinex could instead just ask you to enter your username and send you a login-link to your e-mail - then you click that link and you've got access to everything at Bitfinex. Does this sound secure?
Well, regardless of what you think of that "security system" it is no less secure than the current system.
One little detail: You can not withdraw for 1 week after Bitfinex disables your OTP. This means that the adversary will need to look at your Facebook page and time the attack based on when you tell the world that you will be going on a two week jungle safari.
Of course, I am glad to look over the suggestions, and I think some of them might be useful as user requested additional settings. Security, from the user perspective, is a tradeoff between convenience and security. So, while making them fly to Hong Kong is super secure, it means that you could be locked out of your account for quite a long time. This is obviously just an extreme example. I, personally, hate when companies REQUIRE me to jump through hoops, and don't allow me to judge my personal preference for level of security. I think we struck a good balance, in that we allow you to lock your withdrawal address, offer automated withdrawals only if 2FA is enabled, and require 2FA for login. Obviously, this is heavily dependant on 2FA, and on a users own security measures. One thing I would highly recommend, again this isn't perfect security, but is have a passphrase on your phone, AND a separate one on your 2FA (in my case, you have to have my thumb to open Authy). Again, I stress that there is no perfect method that will make you unhackable, and if someone really wants it bad enough, there is always the $5 wrench. So, I think that doing a reasonable amount of preventative work, and getting into good security habits is effective for most accounts, while more extreme measures could be worthwhile for very large accounts, or for corporate accounts.
Really want to continue this conversation, so let me know your thoughts.
I agree that it is hard to make good trade-off's here. What I would like Bitfinex to solve better is that Google OTP
should provide 2FA as in TWO FACTOR when it is used right. This means not using the device you use to login at Bitfinex for Google OTP (dedicated $50 android phone or a heavily passport protected normal phone, preferably one which you do not use to login at Bitfinex) and it also means
not being able to remove Google OTP by the same means you can use to change the account password.
Bitfinex
does not provide 2FA as long as you can use an e-mail account to easily both reset the password and remove OTP. That is NOT 2FA, that is 1FA. Period. And that is NOT secure. As I suggested: Write "Disable my 2FA, today is $DATE" on a piece of paper & take a photo holding that piece of paper and you now have something that is very hard to do for someone who is not you even if they have all the haxor skills in the world.
As for the $5 wrench.. yes, that is indeed a hard one to solve.
I don't think we disagree that things SHOULD be more secure, but in order to do that, as you suggest, people should buy another phone that they use ONLY for 2fa. That is probably not going to happen in 99% of cases. Therefore, due to the unwillingness to implement a hardware solution, it becomes 1fa. Here is the issue:
1. We need to know you are the person with the rights to access the account.
2. You do this by providing something you have.
3. If you lose that something, you still have the rights to access your account.
4. In order to remedy that, we have to be able to bypass the original security that you set up, due to the loss of your password, phone, email, etc
So, to be clear, if you maintain your security on your phone, and your email, you will never be able to be hacked. These issues affect people who have ALREADY been compromised. If we add gpg key as another method, what happens when you lose your gpg key? The simple fact remains, that google 2FA IS two factor authentication if you haven't lost one of the methods of authentication. We require the phone, which has the Google 2FA, and also the password, which you should be the only one to know. Obviously, since this system REQUIRES you to talk to someone in support, if you say that you lost your phone and forgot your password...the human who is talking to you will probe much more deeply and watch much more carefully. I agree that if I COULD just say "Hey, lost my phone and forgot my password, I sent you an email from the account used to open the account", and if this is all that is necessary, you could have a problem, but, you have to talk to someone in support, via email. They will respond to your request and await a response from you. I haven't seen the email spoofing successfully done, or reported here.
If you actually lose access to your phone, and you used an email which is on your phone, AND your phone isn't locked, the password can be guessed, or it doesn't use biometrics, THEN you have been pretty well compromised. For me, if I lost my phone, I would notice sometime within 24 hours. I usually touch my phone physically at least every hour, aside from sleep. Given that iPhones (and I believe Android?) can be remotely wiped, any access to the compromised phone should be able to be mitigated as soon as the loss is noticed. Since you cannot withdraw for a week, you should have more than enough time to work this out with support.
Long story, short, bitfinex uses a password authentication method, with optional 2FA, but we cannot guarantee your security in regards to YOUR phone, YOUR email address, and YOUR laptop. Basically, the complaint is, well, my phone and my laptop got hacked, how could they access my bitfinex account? I would say that if you were compromised in 2 other areas...your security procedures probably need some work.
I think that if someone wanted to REQUEST that we require more than simply emailing us and having a conversation, and place additional restrictions on their account, and agreeing to endure the higher inconvenience, that would be reasonable.