> If you ran such a cafe, you'd also have the user accounts locked > down so malware couldn't run in the first place.
yeah, but it's still Windows and hardware keyloggers are cheap > There ya go. Start by emailing a password to your server from your > phone. (I'd suggest a different password for this mechanism.) When > the server gets the right password, it sends an OTP to your phone via > SMS (every carrier I know of has an SMTP-to-SMS gateway). Login with > the OTP; don't use your regular password. That way you're also got a > sort-of two-factor authentication; unless someone can receive your SMS > messages *and* knows your trigger password, they can't get a OTP. So, naturally any good idea has a Wikipedia article about it: http://en.wikipedia.org/wiki/One-time_password#OTP_over_SMS A concern there is raised about trusting the third party (SMS gateway/phone network) to deliver the message, and also that it's unencrypted. It suggests banks may have been hit this way. So, to reduce the attack surface: 1) start the session from the browser. Enter your username and click the OTP button. JavaScript gets a key from the server here (assuming TLS on all of this). 2) server stores source IP, date, key, and OTP. Sends out encrypted OTP via SMS. 3) user receives SMS, enters into form, OTP is decrypted and sent, date and IP are checked, OTP is deleted. A failure of date, key, OTP, or IP reveals an attacker. > Windows UI > controls (widgets), which are easily queried with unprivileged API > calls. oh, good lord. _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
