mobile phone + password = 2 factor auth?
Till Maas
opensource at till.name
Tue May 26 16:48:43 UTC 2009
On Di Mai 26 2009, Jesse Keating wrote:
> On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote:
> > A problem with phones is, that they are typically not as secure as
> > hardware tokens. Users can install custom software on them. Also the
> > phone may be compromised via bluetooth. It might be even possible to
> > directly access text messages via bluetooth or maybe also wifi nowadays.
>
> Wouldn't that be why you have to combine what comes up on your phone
> with the password you know, so that just the phone alone can't get you
> in?
Here is another attack scenario: The attacker first attacks the desktop to
obtain the password. But then he also compromises the phone once it is
connected to the desktop to synchronize some data, e.g. contacts, music or
software. Then the attacker got both factors without having physical access on
the phone.
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20090526/b261142c/attachment.bin
More information about the infrastructure
mailing list