Today we enabled Two-Step-Token (RFC 6238), also known as Google Authenticator, for withdrawals. This can be used as an alternative to our smsTAN system for users who:
- cannot receive text messages properly
- do not trust a 3rd party (mobile carrier, SMS gateways)
- do not want to provide their phone number for privacy reasons
- are fans of a purely cryptographic 2-factor authentication
Implementing this feature required some considerations about replay attacks and brute force attacks. After some days of testing we are confident that our implementation is finally ready. You can find more details about this feature on your account settings page.
In cryptography we trust!