On 05/26/2009 05:44 PM, Till Maas wrote:
On Tuesday 26 May 2009 15:50:49 Seth Vidal wrote:
I was changing some settings with my mobile phone company and in order to
change my password they made me use what looks a lot like 2 factor auth:
something I know: my current password
something I have: my phone
I logged in with my current password - then they txt'd me a temporary
password which I had to type in to verify I was me.
Which got me to wondering - if most people have a mobile phone and/or have
access to one - why couldn't we use that as the second factor for our
auth?
A problem with phones is, that they are typically not as secure as hardware
tokens. Users can install custom software on them. Also the phone may be
compromised via bluetooth. It might be even possible to directly access text
messages via bluetooth or maybe also wifi nowadays.
Although this is entirely true, my bank sure considers my phone safe
enough to send me one-time transaction confirmation codes that are only
valid with the existing session.
So, to hack this, you would need access to my phone as well as my
current session.
-Jeroen
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
