mobile phone + password = 2 factor auth?
Eric Christensen
eric at christensenplace.us
Tue May 26 18:00:39 UTC 2009
On Tue, May 26, 2009 at 13:11, Seth Vidal <skvidal at fedoraproject.org> wrote:
> On Tue, 26 May 2009, Till Maas wrote:
>
>>
>> Why is this? Even an attacker that got access to your desktop without
>> specifically targetting a Fedora infrastructure team member can afterwards
>> compromise your phone, once he noticed that you use it to login to Fedora.
>> The
>> browser cache or e-mails may indicate that you login to Fedora and some
>> config
>> files for phone synchronization can show the attacker, how the phone can
>> be
>> compromised.
>
> Doesn't this same argument stand if you plug the yubikey into the machine?
> Ie: sniff the incoming usb traffic and grab the "password" that the yubikey
> has just inputted?
>
> -sv
Yubikey uses a one time password (OTP) so sniffing the output of the
device would yield the key for that particular time and wouldn't be
able to be used at a later time.
Eric "Sparks"
More information about the infrastructure
mailing list