mobile phone + password = 2 factor auth?
Till Maas
opensource at till.name
Tue May 26 17:08:56 UTC 2009
On Di Mai 26 2009, Seth Vidal wrote:
> On Tue, 26 May 2009, Till Maas wrote:
> > On Di Mai 26 2009, Jesse Keating wrote:
> >> On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote:
> >>> A problem with phones is, that they are typically not as secure as
> >>> hardware tokens. Users can install custom software on them. Also the
> >>> phone may be compromised via bluetooth. It might be even possible to
> >>> directly access text messages via bluetooth or maybe also wifi
> >>> nowadays.
> >>
> >> Wouldn't that be why you have to combine what comes up on your phone
> >> with the password you know, so that just the phone alone can't get you
> >> in?
> >
> > Here is another attack scenario: The attacker first attacks the desktop
> > to obtain the password. But then he also compromises the phone once it is
> > connected to the desktop to synchronize some data, e.g. contacts, music
> > or software. Then the attacker got both factors without having physical
> > access on the phone.
>
> Both of them assume an attacker targetting someone on our system.
Why is this? Even an attacker that got access to your desktop without
specifically targetting a Fedora infrastructure team member can afterwards
compromise your phone, once he noticed that you use it to login to Fedora. The
browser cache or e-mails may indicate that you login to Fedora and some config
files for phone synchronization can show the attacker, how the phone can be
compromised.
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20090526/2c82d8e4/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list