mobile phone + password = 2 factor auth?
Till Maas
opensource at till.name
Tue May 26 16:43:50 UTC 2009
On Di Mai 26 2009, Seth Vidal wrote:
> On Tue, 26 May 2009, Till Maas wrote:
> > A problem with phones is, that they are typically not as secure as
> > hardware tokens. Users can install custom software on them. Also the
> > phone may be compromised via bluetooth. It might be even possible to
> > directly access text messages via bluetooth or maybe also wifi nowadays.
>
> But that's the point of it being one factor of two factor auth...
>
> Even if you compromise the txt msg you still don't have the component
> that the user knows. You only have the component that the user HAS.
But one of the two factors in this case should be to own the phone or the SIM
card to be able to login sucessfully. Which imho should mean that if someone
is in posession of the phone, he can be sure that nobody else can access the
two factor protected website. But in this case, you can still own the
compromosised phone, but someone else might access it and use it.
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20090526/df4ae9b0/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list