How To Activate Two Factor Authentication on BTCJam and Gmail

With phishing attacks (fake emails) on the rise and keyloggers (programs that record everything you type) spreading like wildfire, it’s more and more clear that a password is not enough.  That’s why we implemented Two Factor Authentication (2FA or TFA) on BTCJam.

Two Factor Authentication (2FA) allows you to log in to your account with your password and a code generated by your mobile phone (hence the Two, in Two Factor).  By logging in with your password and a code from your phone you make it much harder for hackers to take over your account.

We strongly suggest that you activate Two Factor Authentication (2FA) on BTCJam and on your Gmail account.  If hackers gain control of your email, they often use it to reset your passwords, take over all of your accounts (including your bank, stocks and credit card accounts) and even gain access to you sensitive and personal emails.

Setting up 2FA on Gmail – Account -> Signing In


Here are simple step-by-step instructions on How To Activate Two Factor Authentication on BTCJam:
1. Log in
to your BTCJam Account

Log_in_-_BTCJam


  2. In the upper right hand corner, click on your name, then click Settings.

acctsettings

You can also select settings from our Main Menu, and click on Security:
2faSettings

 


4. Click on Setup Two Factor Authentication

Security_-_BTCJam_-_BTCJam


 5. Follow the Instructions for Two Factor Authentication Setup

Authy Link Security   BTCJam   BTCJam

  1. Install Google Authenticator on your phone.
  • Select “+” to add a new site to Google Authenticator.

  1. Scan the QR code or copy/paste the secret code.

  1. Enter the code provided by Google Authenticator in the “Two Factor Authentication” box and click Verify.

IMG_9317
How To Activate Two Factor Authentication on Gmail
  1. Log in to your Gmail account


  1. Click on the Your Gmail Address in the Upper Right Hand Corner.
    1. Then Click Account

Inbox__372__-_a1evilboy_gmail_com_-_Gmail


  1. Scroll down to the Signing In section

    1. Click 2-Step Verification

Account_settings


  1. Click Start Setup to begin.

setup


5. Enter your phone number to begin the verification process.
1

6. Enter the code that you received via text message.

2


7. Decide if you’d like to trust your computer.  (Obviously if you’re using a public computer like in a school or a library, uncheck this box.)

3


8. Click Confirm to finish setting up 2-Step Verification (phone verification)

4


9.  Sometimes phone verification may not be enough.  If you have your text messages forwarded through another service (like Google Voice), if someone takes over your Google Voice account, they will also take over your text messages.  You may want to activate the Google Authenticator app.
  • Click Switch to app

SWwhfvO 


10. Select your phone type and click Continue.


11. Follow the instructions to Install Google Authenticator:

unnamed


12. Once you’ve installed the app, clicked “+” to add a new account and scanned the barcode, enter the verification code and click Verify and Save.

 


Congratulations!  Your BTCJam account and Gmail account are now secured with 2-Factor Authentication!

You may also want to print a backup copy of your codes, in case you lose your phone.  Navigate back to the 2-Step Verification Page (Click on Gmail Address in the upper right hand corner, click Account, scroll down to Signing In, click 2-Step Verification) and then scroll down to Backup Codes.

screenshot_113

Click Print or Download, then print the following page and store it in safe place.  These codes will allow you to log in to your Gmail Account even if your phone is lost or stolen.

That’s it!  Your BTCJam and Gmail account are now more secure thanks to Two Factor Authentication.  Nice work!

14 thoughts on “How To Activate Two Factor Authentication on BTCJam and Gmail

  1. It is also possible to use a YubiKey for 2FA using Google Authenticator (TOTP). A YubiKey is a physical token which acts as an USB keyboard to paste the numerical code in. Instructions are slightly different, but documented on the YubiKey website. Unfortunately, a helper app is needed, called YubiTOTP (for Windows). Derivates of this software writen by 3rd party developers exists for both Linux and Mac OS. I would like to see BTCJam support the YubiKey natively, but I guess there is no high demand for it. :/

    Liked by 1 person

    • I bought a YubiKey recently and have been trying it out. I wish it was easier to set up on Mac… I started but haven’t gotten it working. I would also like YubiKey and Text Message Verification (for people who don’t have smartphones) to be an option on BTCJam. Thanks for the suggestion! 🙂

      Like

  2. it should be noted that – even though it is possible to set two-factor authentication for notes to ‘require for all transactions’ – btcjam will not ask for two-factor authentication when purchasing notes. this represents a possible attack vector for stealing bitcoins from a user according to the following scenario:

    (1) user EvilGuy has an account at btcjam with a small amount of btc in it.
    (2) user GoodGal has an account at btcjam with an arbitrary amount of btc in it.
    (3) EvilGuy gains control of GoodGal’s account, e.g. by obtaining her password.
    (4) EvilGuy buys a note at a large discount and offers that note for sale at the original price.
    (5) EvilGuy makes GoodGal buy that note by logging into her account.
    (6) EvilGuy proceeds with step (4) until user GoodGal’s balance has been emptied.

    step (5), i.e. selling EvilGuy’s notes to GoodGal will effectively transfer GoodGal’s funds to EvilGuy’s account. EvilGuy will profit from this if he can buy notes in (4) at a discounted value, which is the norm on the notes marketplace (discounts up to 1000% observed).
    i have reported this to btcjam support on 13 oct 2014 and got a response that this is a known issue and should be resolved in the next few feature batches. however, this issue still persists.
    i am posting this here in order to apply some pressure to btcjam to close this loophole.
    in case my comment will be censored or not published, i will find other ways to bring this to the attention of the public.

    Liked by 1 person

    • Thanks for the great suggestions. I have added them to our system and I will advocate for them to be fixed soon.

      Like

  3. What about re-activation of 2-factor authentication? I had 2-FA set up previously, but my smartphone was lost/stolen. I was unable to do anything on my account during the time I didn’t have a phone (which was painful as I had a couple loans enter default and really wanted to sell the notes). Now that I have a phone again, with 2-FA set up for my Google account, I still can’t access my funds in BTCJam because as far as they know I have 2-FA set up and I’m unable to get a new 2-FA setup QR code for Google Authenticator.

    Like

    • i suggest you email the btcjam support about this.

      for the future, it is recommendable to save the qr code (as a picture file by taking a screen shot, as a paper printout, etc.) and store it at a safe location (i.e. not on the phone that has the authenticator app running, not on the computer used for logging in to btcjam, not on cloud storage). the picture of a qr code can be scanned at a later time, e.g. after reinstalling the google authenticator app, to recreate your two-factor authentication.

      Like

    • Hi Charlie! In order to make changes to Two Factor Authentication (TFA) on your account, please provide support@btcjam.com with a photograph, taken today, of you holding an identity document. Please make sure the information on your identity document is clear enough to read in the photograph.

      If you have any other questions, please feel free to contact us. Thanks for being part of the BTCJam community!

      Like

      • Same issue here. Why is it not possible to temporarily disable Google Authenticator by sending an e-mail to the security e-mail address? The account is useless for me no.

        Like

  4. Emails are easy to fake including the “From” field. You can insert any email address there and several mail servers would not refuse to send the mail (good configured ones would refuse it). So, anybody could write an email to BTCJam asking for 2fa removal. This can not be your wish, can it? You should do what Aaron described to gain access to your account again.

    Like

    • Correct. At the moment there is no safe way to request 2fa removal or use a back-up option in case you can’t use google authenticator.
      My suggestion was to include a clickable link somewhere under “security settings” to request temp 2fa removal. After clicking this, an e-mail will be sent to the registered account e-mail address with a link to temporarily disable Google Authenticator.
      Another back-up option could be to add a phone number to the account profile and include the option to send an sms authentication code to that phone number (as a gfall-back scenario when you cannot use google authenticator).

      Like

Comments are closed.