Official Agora Security Guide

The following is reprinted here exactly as published in the Agora Marketplace Info/Help section.

2-factor authentication using PGP keys

If you keep any substantial amount of money on your market account (which you should never do unless you really have to), there are a lot of people who will try to steal it from you. Even provided that the market’s own security is air-tight, there are a number of ways (phishing sites, keyloggers, social engineering, brute-forcing weak passwords) that attackers can use to attempt to access your account without your consent. To minimize the risk of this happening, it is STRONGLY ADVISED that you activate 2-factor authentication.

We shall not provide any assistance in case of lost/stolen passwords if you don’t keep a PGP key in your profile.

Adding a PGP key

A prerequisite for 2-factor authentication is that you upload your PGP key to the market so we will have a way of identifying you. To do this, simply add a valid ASCII-armored PGP public key (a block of base64 characters starting with “—–BEGIN PGP PUBLIC KEY”, you should already be familiar with this if you do any kind of communication on a Tor market) to your description on your profile page and save it. The system will tell you if the key has been properly stored, or if there were any problems with it.

Every time you add a key, system saves it internally and the addition date recorded. If an attacker manages to access your account and change the description, we will still have access to the old key.

PGP-login activation

When PGP-login is activated, on the login page, after entering a username and a password, you will be asked to decrypt a message encrypted with your current public key from your profile.

The system does not check your password until after you correctly decrypt the PGP message. If you have entered a wrong password, you will be told so AFTER the PGP message has been decrypted. The system will ultimately require you to provide both a correctly decrypted message and your password.

PGP-login can be activated manually using a link on your Profile page. To activate it you will have to decrypt a message with the current PGP key to make sure that you will be able to do this later at the login time.

PGP-login is also activated automatically, even if you don’t explicitly do this, when somebody tries to log in using your username too many times too fast. This functionality is there to prevent brute-forcing of passwords. If this happens for an account which does not have a PGP key added, all login attempts will be blocked until a certain time passes.



Short link to this page: