On Tue, May 26, 2009 at 10:08 AM, Till Maas <opensource@xxxxxxxxx> wrote: > On Di Mai 26 2009, Seth Vidal wrote: >> On Tue, 26 May 2009, Till Maas wrote: >> > On Di Mai 26 2009, Jesse Keating wrote: >> >> On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote: >> >>> A problem with phones is, that they are typically not as secure as >> >>> hardware tokens. Users can install custom software on them. Also the >> >>> phone may be compromised via bluetooth. It might be even possible to >> >>> directly access text messages via bluetooth or maybe also wifi >> >>> nowadays. >> >> >> >> Wouldn't that be why you have to combine what comes up on your phone >> >> with the password you know, so that just the phone alone can't get you >> >> in? >> > >> > Here is another attack scenario: The attacker first attacks the desktop >> > to obtain the password. But then he also compromises the phone once it is >> > connected to the desktop to synchronize some data, e.g. contacts, music >> > or software. Then the attacker got both factors without having physical >> > access on the phone. >> >> Both of them assume an attacker targetting someone on our system. > > Why is this? Even an attacker that got access to your desktop without > specifically targetting a Fedora infrastructure team member can afterwards > compromise your phone, once he noticed that you use it to login to Fedora. The > browser cache or e-mails may indicate that you login to Fedora and some config > files for phone synchronization can show the attacker, how the phone can be > compromised. > Part of security work is analysis of the perceived risk and mitigation strategies or acceptance of that risk. I think that using a mobile phone as part of a two-factor auth scheme is a good idea, despite the inherent risks of the platform. It's a relatively low cost item that nearly everyone has or can obtain. While it's not a very secure object on it's own, I think that because it's only one factor in a two factor scheme, it's still useful and 'good enough' for this purpose. I would be willing to accept the risks of using this as a part of our auth scheme. My perception of those risks is that there is a sufficient level of effort required on the part of the attacker as to make an attack non-trivial and reasonably time consuming. ---Brett. _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
