mobile phone + password = 2 factor auth?
Jeroen van Meeuwen
kanarip at kanarip.com
Tue May 26 19:13:37 UTC 2009
On 05/26/2009 05:44 PM, Till Maas wrote:
> On Tuesday 26 May 2009 15:50:49 Seth Vidal wrote:
>> I was changing some settings with my mobile phone company and in order to
>> change my password they made me use what looks a lot like 2 factor auth:
>>
>> something I know: my current password
>> something I have: my phone
>>
>> I logged in with my current password - then they txt'd me a temporary
>> password which I had to type in to verify I was me.
>>
>> Which got me to wondering - if most people have a mobile phone and/or have
>> access to one - why couldn't we use that as the second factor for our
>> auth?
>
> A problem with phones is, that they are typically not as secure as hardware
> tokens. Users can install custom software on them. Also the phone may be
> compromised via bluetooth. It might be even possible to directly access text
> messages via bluetooth or maybe also wifi nowadays.
>
Although this is entirely true, my bank sure considers my phone safe
enough to send me one-time transaction confirmation codes that are only
valid with the existing session.
So, to hack this, you would need access to my phone as well as my
current session.
-Jeroen
More information about the Fedora-infrastructure-list
mailing list