On Tue, May 26, 2009 at 11:08 AM, Till Maas <opensource@xxxxxxxxx> wrote: > On Di Mai 26 2009, Seth Vidal wrote: >> On Tue, 26 May 2009, Till Maas wrote: >> > On Di Mai 26 2009, Jesse Keating wrote: >> >> On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote: >> >>> A problem with phones is, that they are typically not as secure as >> >>> hardware tokens. Users can install custom software on them. Also the >> >>> phone may be compromised via bluetooth. It might be even possible to >> >>> directly access text messages via bluetooth or maybe also wifi >> >>> nowadays. >> >> >> >> Wouldn't that be why you have to combine what comes up on your phone >> >> with the password you know, so that just the phone alone can't get you >> >> in? >> > >> > Here is another attack scenario: The attacker first attacks the desktop >> > to obtain the password. But then he also compromises the phone once it is >> > connected to the desktop to synchronize some data, e.g. contacts, music >> > or software. Then the attacker got both factors without having physical >> > access on the phone. >> >> Both of them assume an attacker targetting someone on our system. > > Why is this? Even an attacker that got access to your desktop without > specifically targetting a Fedora infrastructure team member can afterwards > compromise your phone, once he noticed that you use it to login to Fedora. The > browser cache or e-mails may indicate that you login to Fedora and some config > files for phone synchronization can show the attacker, how the phone can be > compromised. > Ok you have an attack vector. There are attack vectors against every authentication method. The issue is you need to gauge is how likely this attack is and how one recovers from the attack. If you show that one is very high, and two is very costly then the weight of this method is less than another method. -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list