Seth Vidal (skvidal@fedoraproject.org) said:
I can think of multiple ways to do it:
- login to a web page
- click on 'auth me' button
- it sends you a txt msg
- you input the password it sent you
- you get a cert back that you use for auths for a set period of time
(24 hours?)
or
- login to a webpage
- download a key
- it sends you a txt msg which contains a password for that key
- the key + txt'd password allows you to login for a set period of time
(24 hours?)
Now, my question is - what is dangerous/silly about this?
Can you, with only the password, change the phone number used for the second factor?
Bill