mobile phone + password = 2 factor auth?
brett lentz
wakko666 at gmail.com
Tue May 26 17:20:34 UTC 2009
On Tue, May 26, 2009 at 10:08 AM, Till Maas <opensource at till.name> wrote:
> On Di Mai 26 2009, Seth Vidal wrote:
>> On Tue, 26 May 2009, Till Maas wrote:
>> > On Di Mai 26 2009, Jesse Keating wrote:
>> >> On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote:
>> >>> A problem with phones is, that they are typically not as secure as
>> >>> hardware tokens. Users can install custom software on them. Also the
>> >>> phone may be compromised via bluetooth. It might be even possible to
>> >>> directly access text messages via bluetooth or maybe also wifi
>> >>> nowadays.
>> >>
>> >> Wouldn't that be why you have to combine what comes up on your phone
>> >> with the password you know, so that just the phone alone can't get you
>> >> in?
>> >
>> > Here is another attack scenario: The attacker first attacks the desktop
>> > to obtain the password. But then he also compromises the phone once it is
>> > connected to the desktop to synchronize some data, e.g. contacts, music
>> > or software. Then the attacker got both factors without having physical
>> > access on the phone.
>>
>> Both of them assume an attacker targetting someone on our system.
>
> Why is this? Even an attacker that got access to your desktop without
> specifically targetting a Fedora infrastructure team member can afterwards
> compromise your phone, once he noticed that you use it to login to Fedora. The
> browser cache or e-mails may indicate that you login to Fedora and some config
> files for phone synchronization can show the attacker, how the phone can be
> compromised.
>
Part of security work is analysis of the perceived risk and mitigation
strategies or acceptance of that risk.
I think that using a mobile phone as part of a two-factor auth scheme
is a good idea, despite the inherent risks of the platform. It's a
relatively low cost item that nearly everyone has or can obtain.
While it's not a very secure object on it's own, I think that because
it's only one factor in a two factor scheme, it's still useful and
'good enough' for this purpose. I would be willing to accept the risks
of using this as a part of our auth scheme. My perception of those
risks is that there is a sufficient level of effort required on the
part of the attacker as to make an attack non-trivial and reasonably
time consuming.
---Brett.
More information about the infrastructure
mailing list