mobile phone + password = 2 factor auth?

Seth Vidal skvidal at fedoraproject.org
Tue May 26 16:53:29 UTC 2009



On Tue, 26 May 2009, Bill Nottingham wrote:

> Seth Vidal (skvidal at fedoraproject.org) said:
>> I can think of multiple ways to do it:
>>
>> 1. login to a web page
>> 2. click on 'auth me' button
>> 3. it sends you a txt msg
>> 4. you input the password it sent you
>> 5. you get a cert back that you use for auths for a set period of time
>> (24 hours?)
>>
>> or
>>
>> 1. login to a webpage
>> 2. download a key
>> 3. it sends you a txt msg which contains a password for that key
>> 4. the key + txt'd password allows you to login for a set period of time
>> (24 hours?)
>>
>>
>> Now, my question is - what is dangerous/silly about this?
>
> Can you, with only the password, change the phone number used for
> the second factor?

I'd say no.

Just like if you lose your hardware key. You have to go through some 
convoluted authentication process to change the number.

-sv




More information about the infrastructure mailing list