Is Google Authenticator really useful on blockchain.info?

blockchain.info hosts encrypted wallets, and all decryption is done locally, so having a Google Authenticator bound to a wallet only prevents an attacker from downloading that encrypted wallet.

Now, assuming the passphrase is good, having an encrypted wallet is perfectly useless if you do not know the passphrase.

So the two-factor authentication would provide any benefit only to people with non-good passphrases... but that wouldn't be a real solution: they ought to change passphrase anyway!

Hence, I can't come up with any situation were enabling two-factor authentication on blockchain.info provides any meaningful benefit.

Am I missing something?

o0'.

Posted 2013-04-11T12:56:57.513

Reputation: 5 180

Answers

Two-factor authentication is generally useful in that it adds a different layer of security to your account. In addition to your password (which is something you know) two-factor authentication adds a key generated from a specific device (which is something you have.)

In my experience one can never be too cautious about their financies, especially when they are being hosted on a machine connected to the internet. If it were just the security vulnerabilities you knew you knew about (e.g., the strength of your passphrase) that would be one thing. Usually it is the security issues you do not know about that justify extra layers (like two-factor authentication).

fbrereto

Posted 2013-04-11T12:56:57.513

Reputation: 621

But... you are not addressing the concerns I posted, this is a generic answer which I don't need. – o0'. – 2013-04-12T10:12:59.143

1@Lohoris The question you are asking is a generic question - you're asking about the worth of TFA when a passphrase is "good". The application to blockchain.info specifically doesn't really change the question. – fbrereto – 2013-04-12T23:10:13.613

Yes it does: in a traditional website you have a login+password without which you can't login at all, and TFA provides an additional layer. In blockchain.info AFAIK knowing a wallet id is enough to download it, but the wallet itself is protected by the passphrase, so if you don't know that, having the wallet isn't useful. – o0'. – 2013-04-13T14:33:55.093

Your "wallet" lives inside of the blockchain network. You access it by having the public and private keys. Blockchain.info allows you to have an account to store said keys. Anyone who can log in can spend your coin. How the hell can you possibly think not using 2fa is smart? Your assumptions are WAY off. As for "downloading your wallet", again, it is just keys. The coins live inside the network; the keys access the coins. Login to the online wallet, you have access to EVERYTHING.

With that being said, if you use google authenticator and lose your phone.... you better hope you have a backup method. Text message is much safer for 2 factor. Lose your phone? Get a new one and have a message sent to it. With authenticator, you are absolutely screwed (unless you printed out the QR code to pair your phone).

user5829

Posted 2013-04-11T12:56:57.513

Reputation: 1

1I think you have no real idea what you are talking about. – o0'. – 2013-07-06T09:16:35.670