mobile phone + password = 2 factor auth?

Stephen John Smoogen smooge at gmail.com
Tue May 26 17:47:54 UTC 2009 

On Tue, May 26, 2009 at 9:01 AM, Seth Vidal <skvidal at fedoraproject.org> wrote:
>
>
> On Tue, 26 May 2009, Seth Vidal wrote:
>
>> I was changing some settings with my mobile phone company and in order to
>> change my password they made me use what looks a lot like 2 factor auth:
>>
>> something I know: my current password
>> something I have: my phone
>>
>> I logged in with my current password - then they txt'd me a temporary
>> password which I had to type in to verify I was me.
>>
>> Which got me to wondering - if most people have a mobile phone and/or have
>> access to one - why couldn't we use that as the second factor for our auth?
>
>>
>> Now, my question is - what is dangerous/silly about this?
>
> Jeremy mentioned some potential problems on jabber:
>
> 1. no guaranteed message delivery time

Depends on how fast the grid is at the moment. I have had a text
message go out 8 hours after it being sent on a day where lots of
issues were going on (university was doing a drill of a shooter on
campus and everykid texting each other swamped out the delivery of the
'please stay inside the building there is a shooter.') There is also
no guarentee that you will have a correct message. while it doesn't
happen as much as I remember in the 90's you still can get a3tjilke in
your text.

> 2. cost structure of sending/receiving a lot of txt msgs.

As I am looking for a phone it looks like its an extra 10-20/month for
'unlimited texting'. If you don't have that then you are paying for a
lot more ( others I found were 0.99/SMS+ if out of network.).

If we 2fact rarely, I think the 1st problem dominates. It means you
have a window of opportunity of for best brute force efforts. How long
is the password good before we say it isn't. How many attempts can be
made before we invalidate it (eg how long before we DOS ourselves :)?)
That's more risk management mathematics than I have taken so far :(.

If we 2factor a lot then it will be a how long before its cheaper to
have a yubikey? [For the phone payer 1-2 months :).. for the
organization???]

And in any case (hardware or phone), there will need to be an audited
protected route in case of failure (if the SMS system can't send or
the yubikey server can't authenticate.. how do people do their work to
fix that.)

-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

More information about the infrastructure mailing list