Re: mobile phone + password = 2 factor auth?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Di Mai 26 2009, Stephen John Smoogen wrote:
> On Tue, May 26, 2009 at 11:08 AM, Till Maas <opensource@xxxxxxxxx> wrote:

> > Why is this? Even an attacker that got access to your desktop without
> > specifically targetting a Fedora infrastructure team member can
> > afterwards compromise your phone, once he noticed that you use it to
> > login to Fedora. The browser cache or e-mails may indicate that you login
> > to Fedora and some config files for phone synchronization can show the
> > attacker, how the phone can be compromised.
>
> Ok you have an attack vector. There are attack vectors against every
> authentication method. The issue is you need to gauge is how likely
> this attack is and how one recovers from the attack. If you show that
> one is very high, and two is very costly then the weight of this
> method is less than another method.

The history already showed that an attacker gained access to user's system 
account afaik. Since people involved in Fedora are more likely geeks, they 
will more likely not have some dumb phone, but some high tech phone that 
allows to install custom software. Because they are also interested in FOSS, 
they will more likely install software that cannot be easily verificated. E.g. 
closed source applications for symbian are normally signed by a well know CA 
for the phone. But there is afaik no established way to distribute signed FOSS 
software for symbian like there are gpg signed packages in Fedora.

Regards
Till

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux