mobile phone + password = 2 factor auth?
Till Maas
opensource at till.name
Tue May 26 17:29:49 UTC 2009
On Di Mai 26 2009, Seth Vidal wrote:
> On Tue, 26 May 2009, Till Maas wrote:
> > Why is this? Even an attacker that got access to your desktop without
> > specifically targetting a Fedora infrastructure team member can
> > afterwards compromise your phone, once he noticed that you use it to
> > login to Fedora. The browser cache or e-mails may indicate that you login
> > to Fedora and some config files for phone synchronization can show the
> > attacker, how the phone can be compromised.
>
> Doesn't this same argument stand if you plug the yubikey into the machine?
> Ie: sniff the incoming usb traffic and grab the "password" that the
> yubikey has just inputted?
It is similiar. But the password can be afaik only used once and might be only
created if the user presses a button on the yubikey (iirc there are two
versions).
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20090526/2b7f9c87/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list