The WeTheNorth marketplace rolled out a major security upgrade in mid-2025, replacing its previous TOTP-based two-factor authentication with a PGP challenge-response system. Under the new system, users who enable 2FA are presented with an encrypted challenge message at each login. They must decrypt it using their PGP private key and return the signed response to authenticate.
This change was driven by the limitations of TOTP-based 2FA in the anonymous marketplace context. TOTP codes are time-based one-time passwords, but they remain vulnerable to real-time phishing attacks where an attacker who has captured your username and password can simultaneously request and relay the TOTP code. PGP challenge-response fundamentally prevents this because the private key never leaves the user's device.
The rollout was received positively by the security-conscious segment of the community. PGP-based authentication requires users to have already set up a PGP key pair — which they should have for encrypting shipping addresses anyway. This change essentially eliminated a redundant step for security-aware users while dramatically improving baseline account security for the broader user population.
Security researchers covering darknet marketplace security noted that PGP 2FA, when combined with a strong passphrase on the private key, makes credential-based account takeover essentially infeasible. Even if an attacker obtains a user's marketplace password through a phishing page, they cannot authenticate without the private key — which exists only on the legitimate user's device.
The implementation also included improvements to the account recovery flow, though by design, recovery options remain intentionally limited to protect user anonymity.