mobile phone + password = 2 factor auth?
Seth Vidal
skvidal at fedoraproject.org
Tue May 26 19:30:42 UTC 2009
On Tue, 26 May 2009, Eric Christensen wrote:
> On Tue, May 26, 2009 at 15:13, Jeroen van Meeuwen <kanarip at kanarip.com> wrote:
>> Although this is entirely true, my bank sure considers my phone safe enough
>> to send me one-time transaction confirmation codes that are only valid with
>> the existing session.
>>
>> So, to hack this, you would need access to my phone as well as my current
>> session.
>>
>> -Jeroen
>
> I'm glad your bank considers your phone safe enough. But do you?
> Your bank puts the security of your money in your hands which is fine
> for them because it isn't their money.
>
> Remember, messages going through the Internet to the phone company to
> your phone isn't encrypted or otherwise protected.
Which is why it is 2-factor auth! You have to put bot the session key and
the password you know together in order to auth.
The bank is implicitly saying they don't trust the phone, nor do the trust
your password, but if you have both of them..... then they trust that.
-sv
More information about the Fedora-infrastructure-list
mailing list