I was changing some settings with my mobile phone company and in order to change my password they made me use what looks a lot like 2 factor auth:
something I know: my current password something I have: my phone
I logged in with my current password - then they txt'd me a temporary password which I had to type in to verify I was me.
Which got me to wondering - if most people have a mobile phone and/or have access to one - why couldn't we use that as the second factor for our auth?
I can think of multiple ways to do it:
1. login to a web page 2. click on 'auth me' button 3. it sends you a txt msg 4. you input the password it sent you 5. you get a cert back that you use for auths for a set period of time (24 hours?)
or
1. login to a webpage 2. download a key 3. it sends you a txt msg which contains a password for that key 4. the key + txt'd password allows you to login for a set period of time (24 hours?)
Now, my question is - what is dangerous/silly about this?
-sv