mobile phone + password = 2 factor auth?
Seth Vidal
skvidal at fedoraproject.org
Tue May 26 13:50:49 UTC 2009
I was changing some settings with my mobile phone company and in order to
change my password they made me use what looks a lot like 2 factor auth:
something I know: my current password
something I have: my phone
I logged in with my current password - then they txt'd me a temporary
password which I had to type in to verify I was me.
Which got me to wondering - if most people have a mobile phone and/or have
access to one - why couldn't we use that as the second factor for our
auth?
I can think of multiple ways to do it:
1. login to a web page
2. click on 'auth me' button
3. it sends you a txt msg
4. you input the password it sent you
5. you get a cert back that you use for auths for a set period of time (24
hours?)
or
1. login to a webpage
2. download a key
3. it sends you a txt msg which contains a password for that key
4. the key + txt'd password allows you to login for a set period of time
(24 hours?)
Now, my question is - what is dangerous/silly about this?
-sv
More information about the infrastructure
mailing list