mobile phone + password = 2 factor auth?
Bill Nottingham
notting at redhat.com
Tue May 26 16:53:30 UTC 2009
Seth Vidal (skvidal at fedoraproject.org) said:
> I can think of multiple ways to do it:
>
> 1. login to a web page
> 2. click on 'auth me' button
> 3. it sends you a txt msg
> 4. you input the password it sent you
> 5. you get a cert back that you use for auths for a set period of time
> (24 hours?)
>
> or
>
> 1. login to a webpage
> 2. download a key
> 3. it sends you a txt msg which contains a password for that key
> 4. the key + txt'd password allows you to login for a set period of time
> (24 hours?)
>
>
> Now, my question is - what is dangerous/silly about this?
Can you, with only the password, change the phone number used for
the second factor?
Bill
More information about the infrastructure
mailing list