

Mt. Gox beefs up security, adds support for Yubikey - mef
http://forum.bitcoin.org/index.php?topic=26917.0

======
rlpb
Yubikeys are based on shared secrets, which means that Mt. Gox must keep a
database of all users and their shared secrets. If this database is
compromised, then protection provided by Yubikey is lost.

Two factor auth relies on you proving that you have something. Here, Mt. Gox
have it too (the shared secret). If their copy gets leaked, anyone can pretend
to be you.

Still, it's far better than nothing. But note that RSA SecureID's recent
compromise was this exact issue.

The real way of fixing this is with asymmetric crypto. For example:
<http://www.gooze.eu/feitian-epass-pki-token> \- here the USB token is the
only device that ever sees a private key, so a compromise really would need to
target that physical thing that you have.

~~~
marcusw
You are very mistaken; mt. gox does not have access to your shared secret and
simply uses the yubico authentication servers to verify that the OTP is
correct. Please go spread your lies elsewhere before you are charged with
defamation.

~~~
mattfawcett
It looks like Mt.Gox are running their own authentication server. Their
website states "Please note that our Yubikey can only be used with Mt.Gox" and
I can't see anywhere that I can add the Yubikey that I already own.

I'm not sure why anyone would want to buy a Yubikey from Mt.Gox if it can only
be used on their site.

