mobile phone + password = 2 factor auth?
Till Maas
opensource at till.name
Tue May 26 21:15:45 UTC 2009
On Di Mai 26 2009, Stephen John Smoogen wrote:
> On Tue, May 26, 2009 at 11:08 AM, Till Maas <opensource at till.name> wrote:
> > Why is this? Even an attacker that got access to your desktop without
> > specifically targetting a Fedora infrastructure team member can
> > afterwards compromise your phone, once he noticed that you use it to
> > login to Fedora. The browser cache or e-mails may indicate that you login
> > to Fedora and some config files for phone synchronization can show the
> > attacker, how the phone can be compromised.
>
> Ok you have an attack vector. There are attack vectors against every
> authentication method. The issue is you need to gauge is how likely
> this attack is and how one recovers from the attack. If you show that
> one is very high, and two is very costly then the weight of this
> method is less than another method.
The history already showed that an attacker gained access to user's system
account afaik. Since people involved in Fedora are more likely geeks, they
will more likely not have some dumb phone, but some high tech phone that
allows to install custom software. Because they are also interested in FOSS,
they will more likely install software that cannot be easily verificated. E.g.
closed source applications for symbian are normally signed by a well know CA
for the phone. But there is afaik no established way to distribute signed FOSS
software for symbian like there are gpg signed packages in Fedora.
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20090526/9268a3f1/attachment.bin
More information about the infrastructure
mailing list