On Tue, 26 May 2009, Bill Nottingham wrote:
Seth Vidal (skvidal@xxxxxxxxxxxxxxxxx) said:
I can think of multiple ways to do it:
1. login to a web page
2. click on 'auth me' button
3. it sends you a txt msg
4. you input the password it sent you
5. you get a cert back that you use for auths for a set period of time
(24 hours?)
or
1. login to a webpage
2. download a key
3. it sends you a txt msg which contains a password for that key
4. the key + txt'd password allows you to login for a set period of time
(24 hours?)
Now, my question is - what is dangerous/silly about this?
Can you, with only the password, change the phone number used for
the second factor?
I'd say no.
Just like if you lose your hardware key. You have to go through some
convoluted authentication process to change the number.
-sv
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
