Re: mobile phone + password = 2 factor auth?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Di Mai 26 2009, Seth Vidal wrote:
> On Tue, 26 May 2009, Till Maas wrote:
> > On Di Mai 26 2009, Jesse Keating wrote:
> >> On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote:
> >>> A problem with phones is, that they are typically not as secure as
> >>> hardware tokens. Users can install custom software on them. Also the
> >>> phone may be compromised via bluetooth. It might be even possible to
> >>> directly access text messages via bluetooth or maybe also wifi
> >>> nowadays.
> >>
> >> Wouldn't that be why you have to combine what comes up on your phone
> >> with the password you know, so that just the phone alone can't get you
> >> in?
> >
> > Here is another attack scenario: The attacker first attacks the desktop
> > to obtain the password. But then he also compromises the phone once it is
> > connected to the desktop to synchronize some data, e.g. contacts, music
> > or software. Then the attacker got both factors without having physical
> > access on the phone.
>
> Both of them assume an attacker targetting someone on our system.

Why is this? Even an attacker that got access to your desktop without 
specifically targetting a Fedora infrastructure team member can afterwards 
compromise your phone, once he noticed that you use it to login to Fedora. The 
browser cache or e-mails may indicate that you login to Fedora and some config 
files for phone synchronization can show the attacker, how the phone can be 
compromised.

Regards
Till

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux