mobile phone + password = 2 factor auth?
Seth Vidal
skvidal at fedoraproject.org
Tue May 26 16:45:16 UTC 2009
On Tue, 26 May 2009, Till Maas wrote:
> On Di Mai 26 2009, Seth Vidal wrote:
>> On Tue, 26 May 2009, Till Maas wrote:
>
>>> A problem with phones is, that they are typically not as secure as
>>> hardware tokens. Users can install custom software on them. Also the
>>> phone may be compromised via bluetooth. It might be even possible to
>>> directly access text messages via bluetooth or maybe also wifi nowadays.
>>
>> But that's the point of it being one factor of two factor auth...
>>
>> Even if you compromise the txt msg you still don't have the component
>> that the user knows. You only have the component that the user HAS.
>
> But one of the two factors in this case should be to own the phone or the SIM
> card to be able to login sucessfully. Which imho should mean that if someone
> is in posession of the phone, he can be sure that nobody else can access the
> two factor protected website. But in this case, you can still own the
> compromosised phone, but someone else might access it and use it.
If someone steals my phone - then they can get the txt msg but they can't
get my password that only I know.
If someone gets my password they have to steal my phone or hijack my txt
msgs to get the other bit.
So, how is this better/worse than any other 2factor auth?
-sv
More information about the Fedora-infrastructure-list
mailing list