0
1
Are two factor authentication (2FA) enabled wallets at mtgox/blockchain.info safe even with weak passwords? What are the risks here, except losing one's mobile phone?
A Google authenticator is used for the 2FA, the Google account itself is also 2FA enabled.
2
Blockchain.info does not use 2FA for encrypting the wallet and instead uses it only for limiting access via the web interface. If your system is compromised with a keylogger, and the attacker has access to the blockchain.info wallet (e.g., the backups sent via e-mail), for instance, then the attacker can perform a replay attack and spend the funds from the wallet.
Also, if your system is compromised the attacker might be able to obtain the password and OTP code and use that for login by simply being first to login with those credentials. Mt. Gox implemented 2FA correctly, by requiring the OTP for each withdrawal request so that is less of an issue with them. Not all exchanges and EWallets with 2FA require that.
So there still is better protection when when accessing your account only from a secure system, but those who live a little more dangerously can probably still keep their funds safe thanks to 2FA.
Also, the 2FA device should always be separate from the device where the wallet is being accessed from. So accessing Blockchain for Android from a mobile in which the 2FA client is also running is not a secure configuration.
Hey, i figured the two-factor on blockchain was implemented as you speak too, but I was wondering, do you have more information on the matter? Like an official statement or forum thread? – droope – 2013-12-26T03:27:16.877
Could you elaborate? – cdecker – 2013-02-22T11:50:30.050