mobile phone + password = 2 factor auth?
Bryan Kearney
bkearney at redhat.com
Tue May 26 16:12:54 UTC 2009
Seth Vidal wrote:
>
>
> On Tue, 26 May 2009, Till Maas wrote:
>
>> On Tuesday 26 May 2009 15:50:49 Seth Vidal wrote:
>>> I was changing some settings with my mobile phone company and in
>>> order to
>>> change my password they made me use what looks a lot like 2 factor auth:
>>>
>>> something I know: my current password
>>> something I have: my phone
>>>
>>> I logged in with my current password - then they txt'd me a temporary
>>> password which I had to type in to verify I was me.
>>>
>>> Which got me to wondering - if most people have a mobile phone and/or
>>> have
>>> access to one - why couldn't we use that as the second factor for our
>>> auth?
>>
>> A problem with phones is, that they are typically not as secure as
>> hardware
>> tokens. Users can install custom software on them. Also the phone may be
>> compromised via bluetooth. It might be even possible to directly
>> access text
>> messages via bluetooth or maybe also wifi nowadays.
>>
>
> But that's the point of it being one factor of two factor auth...
>
> Even if you compromise the txt msg you still don't have the component
> that the user knows. You only have the component that the user HAS.
>
> -sv
How about a token App for the iPhone? Download a certificate with seed
data for the algorithm.. and bobs your uncle.
-- bk
More information about the infrastructure
mailing list