elective-stereophonic
elective-stereophonic
two factor auth
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Stable Nxt Client: Nxt 1.12.2

Pages: 1 2 [3]  All

Author Topic: two factor auth  (Read 7790 times)

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
Re: two factor auth
« Reply #40 on: July 15, 2014, 12:39:25 am »

Perhaps the hash of the TOTPs could exist on a per block basis? In order to log in or send a transaction your TOTPS would need to match the hash stored on the latest block on the chain? 
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: two factor auth
« Reply #41 on: July 15, 2014, 05:45:30 am »

Perhaps the hash of the TOTPs could exist on a per block basis? In order to log in or send a transaction your TOTPS would need to match the hash stored on the latest block on the chain?

Doesn't make any sense.

Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

Lawmaker

  • Jr. Member
  • **
  • Karma: +4/-1
  • Offline Offline
  • Posts: 16
    • View Profile
Re: two factor auth
« Reply #42 on: July 15, 2014, 09:56:20 am »

Perhaps it's a stupid thought, but let's say we use google totp, if everyone is supposed to know that you generated the right code, what prevents the potential attacker from simply generate all the combination of the 6 digits in 30 seconds and see what matches, then publish the solution with the right code...
Logged

box1413

  • Hero Member
  • *****
  • Karma: +101/-4
  • Offline Offline
  • Posts: 687
    • View Profile
Re: two factor auth
« Reply #43 on: July 19, 2014, 04:39:02 am »

how about you get to make your own 2FA in your head by linking it to something that's constantly changing like the clock time.

Say your 2FA follows the hours in a 24 hour format. So if you wanted to login to your wallet and its 14:00. You get to create your own function say a multiplier of 3. So your 2FA code is 14 * 3 = 42

You get to pick your own multiplier. It can be any addition/subtraction/division/multiplication.

I mean it definitely is a bit more complex than your typical 2FA, but it eliminates the need of a 3rd party device/service. You only need to remember the mathematical formula you created in the first place that goes according to some section of the time. it could be hours or minutes + timezone of course.

was this brought up before?
Logged

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: two factor auth
« Reply #44 on: July 19, 2014, 08:12:58 am »

how about you get to make your own 2FA in your head by linking it to something that's constantly changing like the clock time.

Say your 2FA follows the hours in a 24 hour format. So if you wanted to login to your wallet and its 14:00. You get to create your own function say a multiplier of 3. So your 2FA code is 14 * 3 = 42

You get to pick your own multiplier. It can be any addition/subtraction/division/multiplication.

I mean it definitely is a bit more complex than your typical 2FA, but it eliminates the need of a 3rd party device/service. You only need to remember the mathematical formula you created in the first place that goes according to some section of the time. it could be hours or minutes + timezone of course.

was this brought up before?

This isn't 2 factor authentication. It's just a password

I used to create password like that, for example

69! - 446217 and password would then be "171122452428141311372468338881272839092270544893520369393648040923257279754140647423999999999553783"

easy to remember  (69! - 446217) but pretty strong



Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

box1413

  • Hero Member
  • *****
  • Karma: +101/-4
  • Offline Offline
  • Posts: 687
    • View Profile
Re: two factor auth
« Reply #45 on: July 19, 2014, 05:39:50 pm »

yea but your password always changes acording to what time it is. for someone to brute force your password would be quite hard as its constantly changing according to time. 
Logged

HumanFractal

  • Full Member
  • ***
  • Karma: +29/-2
  • Offline Offline
  • Posts: 148
  • Programming is 90% logic and 10% Magic.
    • View Profile
Re: two factor auth
« Reply #46 on: July 21, 2014, 12:35:32 pm »

IMO a trustless solution is what we need - without a question.

My question is- are we able to use a system besides Google Authenticator?

It's very restricting, if not impossible in a blockchain scenario.

What we could do is implement our own custom 2FA challenge-response system into the NXT Android & iPhone apps.
This lifts most of the restrictions placed on us by using Google Auth.

For starters, 6 digit codes are way too short.

I have some thoughts on how a system like this could be achieved, but I'm not sure if a system using Google Auth is even possible (to be secure)


-----

My post on Local 2FA, which somewhat relates to this:

https://nxtforum.org/cryptopapers/(feature)-local-two-factor-authentication-for-cryptopapers-and-any-client-app/
Logged

rstanaford

  • Jr. Member
  • **
  • Karma: +8/-1
  • Offline Offline
  • Posts: 37
    • View Profile
Re: two factor auth
« Reply #47 on: July 27, 2014, 02:38:07 pm »

What about SQRL Authentication?

https://www.grc.com/sqrl/sqrl.htm
Logged

Daedelus

  • Hero Member
  • *****
  • Karma: +230/-12
  • Offline Offline
  • Posts: 3280
    • View Profile
Re: two factor auth
« Reply #48 on: July 28, 2014, 02:56:45 pm »

Nxt already has Two Factor Authentication, or at least it isn't needed.... so says BCNext   ;D

To those who is developing services.  Use [Decode token] request to authorize users, please.  Get rid of your own registration/authorization.  Nxt authorization tokens provide a safe way to log into a site without prior registration.  If you send money only to the user's account obtained from the token you don't even need a 2-factor auth.

https://bitcointalk.org/index.php?topic=303898.msg3358509#msg3358509

Maybe it doesn't apply in this case (or has been discussed) but perhaps we should look at making more use of the Token?
Logged
NXT: NXT-4CS7-S4N5-PTH5-A8R2Q

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: two factor auth
« Reply #49 on: July 28, 2014, 06:34:11 pm »

Nxt already has Two Factor Authentication, or at least it isn't needed.... so says BCNext   ;D

To those who is developing services.  Use [Decode token] request to authorize users, please.  Get rid of your own registration/authorization.  Nxt authorization tokens provide a safe way to log into a site without prior registration.  If you send money only to the user's account obtained from the token you don't even need a 2-factor auth.

https://bitcointalk.org/index.php?topic=303898.msg3358509#msg3358509

Maybe it doesn't apply in this case (or has been discussed) but perhaps we should look at making more use of the Token?

Looks like he is talking about exchanges to use tokens to authorise users (instead of username/passwords). Makes sense, but it's not related to this topic



Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

firefighter

  • Jr. Member
  • **
  • Karma: +5/-1
  • Offline Offline
  • Posts: 70
    • View Profile
Re: two factor auth
« Reply #50 on: August 01, 2014, 04:56:10 am »

Hi Eadega,

I used to create password like that, for example

69! - 446217 and password would then be "171122452428141311372468338881272839092270544893520369393648040923257279754140647423999999999553783"

easy to remember  (69! - 446217) but pretty strong

actually it isn't really strong.

Real Randomness (high entropy) makes password strong.

The entropy of digist "0 - 10" is 3,3 bits and you have 8 numbers involed- I assum  sometimes you using "+" instead so that an additional bit. So you password strenght is just below 30 bits and this can be considered as very weak. I

(log2(10) * 8  + 1=  = 28,575 

Please use the built in pw generator or diceware.com passwords instead. 
I use diceware and my entropy is about 230 bits already -> this can be considered strong.

Sure I could you an strong password generator, even stronger within the same lenght, but I've usecase's where I need to write the passphrase manually.

FireF
 
Logged
NXT-SYDZ-HECY-YF3A-76E5Q

firefighter

  • Jr. Member
  • **
  • Karma: +5/-1
  • Offline Offline
  • Posts: 70
    • View Profile
Re: two factor auth
« Reply #51 on: August 01, 2014, 05:10:58 am »

I believe it should be pretty straight forward to build 2-factor authentication into Nxt. The user could set a threshold, so that large transfers require a One-time-Password.

When I think about it, it is surprising that Bitcoin has not implemented this. There was a discussion here:

https://gist.github.com/gavinandresen/5616606
http://www.reddit.com/r/Bitcoin/comments/1j676d/gavin_suggests_twofactor_protection_of_wallet/

RFC for HOTP
http://tools.ietf.org/html/rfc4226

It is cryptography what makes nxt strong and secure. You just have to choose a strong password.
And simplicity is the golden rule for save and secure systemens. The 2 Factor Auth thing would make things more complex, so you would weaken the whole nxt system with such thing.

NXT  has already a thing called Account Control, thats a real and simple solution, and this leads to a stronger overall system.


2FA build in the nxt core would mak things complicated and there is a risk that even the right user isn't allowed to get access to his Account.
And 2FA on client side doesn't make things secure, cause everybody could write an own client who didn't ask for the 2FA and just using the password. So 2FA is just for users belive it's is more secure but this will lead to weaker passwords (Cause you've a 2FA) and so the opposite would be the case.


That said: It is important to have a FAQ for nxt where users are helped to choose strong password and where it is explained why 2FA isn't secure.


FireF   



Logged
NXT-SYDZ-HECY-YF3A-76E5Q

johnna

  • Jr. Member
  • **
  • Karma: +8/-3
  • Offline Offline
  • Posts: 78
    • View Profile
Re: two factor auth
« Reply #52 on: August 11, 2014, 11:27:35 pm »

Thanks for the informations. :-)
Logged
Pages: 1 2 [3]  All
 

elective-stereophonic
elective-stereophonic
assembly
assembly