I was changing some settings with my mobile phone company and in order to
change my password they made me use what looks a lot like 2 factor auth:
something I know: my current password
something I have: my phone
I logged in with my current password - then they txt'd me a temporary
password
On Tue, 2009-05-26 at 11:01 -0400, Seth Vidal wrote:
2. cost structure of sending/receiving a lot of txt msgs.
Don't most carriers offer an email gateway to sms?
--
Jesse Keating
Fedora -- FreedomĀ² is a feature!
identi.ca: http://identi.ca/jkeating
signature.asc
Description: This is a
On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote:
A problem with phones is, that they are typically not as secure as hardware
tokens. Users can install custom software on them. Also the phone may be
compromised via bluetooth. It might be even possible to directly access text
messages via
On Tue, 26 May 2009, Bryan Kearney wrote:
Seth Vidal wrote:
On Tue, 26 May 2009, Bryan Kearney wrote:
Seth Vidal wrote:
Now, my question is - what is dangerous/silly about this?
Luddites like me who have disabled text messages on their phones.
Well your options would eventually
On Tue, 26 May 2009, Seth Vidal wrote:
I was changing some settings with my mobile phone company and in order to
change my password they made me use what looks a lot like 2 factor auth:
something I know: my current password
something I have: my phone
I logged in with my current password -
On Tue, 26 May 2009, Jesse Keating wrote:
On Tue, 2009-05-26 at 11:01 -0400, Seth Vidal wrote:
2. cost structure of sending/receiving a lot of txt msgs.
Don't most carriers offer an email gateway to sms?
yes - but it still costs the receiver something.
-sv
On Tue, 26 May 2009, Till Maas wrote:
On Tuesday 26 May 2009 15:50:49 Seth Vidal wrote:
I was changing some settings with my mobile phone company and in order to
change my password they made me use what looks a lot like 2 factor auth:
something I know: my current password
something I have:
Seth Vidal wrote:
On Tue, 26 May 2009, Till Maas wrote:
On Tuesday 26 May 2009 15:50:49 Seth Vidal wrote:
I was changing some settings with my mobile phone company and in
order to
change my password they made me use what looks a lot like 2 factor auth:
something I know: my current
On Tue, 26 May 2009, Bryan Kearney wrote:
But that's the point of it being one factor of two factor auth...
Even if you compromise the txt msg you still don't have the component that
the user knows. You only have the component that the user HAS.
-sv
How about a token App for the
On Tue, 26 May 2009, Bryan Kearney wrote:
Seth Vidal wrote:
Now, my question is - what is dangerous/silly about this?
Luddites like me who have disabled text messages on their phones.
Well your options would eventually be:
- enable txt msgs
- carry a yubikey with you everywhere
so...
On Tue, 26 May 2009, Till Maas wrote:
On Di Mai 26 2009, Seth Vidal wrote:
On Tue, 26 May 2009, Till Maas wrote:
A problem with phones is, that they are typically not as secure as
hardware tokens. Users can install custom software on them. Also the
phone may be compromised via bluetooth.
Seth Vidal wrote:
Now, my question is - what is dangerous/silly about this?
Luddites like me who have disabled text messages on their phones.
-- bk
___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
On Tue, 26 May 2009, Till Maas wrote:
On Di Mai 26 2009, Jesse Keating wrote:
On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote:
A problem with phones is, that they are typically not as secure as
hardware tokens. Users can install custom software on them. Also the
phone may be compromised
On Tue, 26 May 2009, Bill Nottingham wrote:
Seth Vidal (skvi...@fedoraproject.org) said:
I can think of multiple ways to do it:
1. login to a web page
2. click on 'auth me' button
3. it sends you a txt msg
4. you input the password it sent you
5. you get a cert back that you use for auths
On Di Mai 26 2009, Seth Vidal wrote:
If someone steals my phone - then they can get the txt msg but they can't
get my password that only I know.
If someone gets my password they have to steal my phone or hijack my txt
msgs to get the other bit.
So, how is this better/worse than any other
On Tue, May 26, 2009 at 11:08 AM, Till Maas opensou...@till.name wrote:
On Di Mai 26 2009, Seth Vidal wrote:
On Tue, 26 May 2009, Till Maas wrote:
On Di Mai 26 2009, Jesse Keating wrote:
On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote:
A problem with phones is, that they are typically
On Tue, May 26, 2009 at 9:01 AM, Seth Vidal skvi...@fedoraproject.org wrote:
On Tue, 26 May 2009, Seth Vidal wrote:
I was changing some settings with my mobile phone company and in order to
change my password they made me use what looks a lot like 2 factor auth:
something I know: my
On Tue, May 26, 2009 at 13:11, Seth Vidal skvi...@fedoraproject.org wrote:
On Tue, 26 May 2009, Till Maas wrote:
Why is this? Even an attacker that got access to your desktop without
specifically targetting a Fedora infrastructure team member can afterwards
compromise your phone, once he
On Tue, 26 May 2009, Seth Vidal wrote:
On Tue, 26 May 2009, Bryan Kearney wrote:
How about a token App for the iPhone? Download a certificate with seed data
for the algorithm.. and bobs your uncle.
Requires closed-source software. - No go.
http://barada.sourceforge.net/
PAM module
On Tue, 26 May 2009, Chris Ricker wrote:
On Tue, 26 May 2009, Seth Vidal wrote:
On Tue, 26 May 2009, Bryan Kearney wrote:
How about a token App for the iPhone? Download a certificate with seed data
for the algorithm.. and bobs your uncle.
Requires closed-source software. - No go.
On Tue, 26 May 2009, Eric Christensen wrote:
Yubikey uses a one time password (OTP) so sniffing the output of the
device would yield the key for that particular time and wouldn't be
able to be used at a later time.
True - my major objection to the yubikey is the single-vendor-ness of it.
Seth Vidal wrote:
On Tue, 26 May 2009, Chris Ricker wrote:
On Tue, 26 May 2009, Seth Vidal wrote:
On Tue, 26 May 2009, Bryan Kearney wrote:
How about a token App for the iPhone? Download a certificate with
seed data
for the algorithm.. and bobs your uncle.
Requires closed-source
On 05/26/2009 05:44 PM, Till Maas wrote:
On Tuesday 26 May 2009 15:50:49 Seth Vidal wrote:
I was changing some settings with my mobile phone company and in order to
change my password they made me use what looks a lot like 2 factor auth:
something I know: my current password
something I have:
On Tue, May 26, 2009 at 15:13, Jeroen van Meeuwen kana...@kanarip.com wrote:
Although this is entirely true, my bank sure considers my phone safe enough
to send me one-time transaction confirmation codes that are only valid with
the existing session.
So, to hack this, you would need access to
On Tue, 26 May 2009, Eric Christensen wrote:
On Tue, May 26, 2009 at 15:13, Jeroen van Meeuwen kana...@kanarip.com wrote:
Although this is entirely true, my bank sure considers my phone safe enough
to send me one-time transaction confirmation codes that are only valid with
the existing
On Tue, May 26, 2009 at 1:30 PM, Seth Vidal skvi...@fedoraproject.org wrote:
On Tue, 26 May 2009, Eric Christensen wrote:
On Tue, May 26, 2009 at 15:13, Jeroen van Meeuwen kana...@kanarip.com
wrote:
Although this is entirely true, my bank sure considers my phone safe
enough
to send me
On Di Mai 26 2009, Jeroen van Meeuwen wrote:
Although this is entirely true, my bank sure considers my phone safe
enough to send me one-time transaction confirmation codes that are only
valid with the existing session.
I do not know how it is in your country, but afaik in Germany banks
On Di Mai 26 2009, Stephen John Smoogen wrote:
On Tue, May 26, 2009 at 11:08 AM, Till Maas opensou...@till.name wrote:
Why is this? Even an attacker that got access to your desktop without
specifically targetting a Fedora infrastructure team member can
afterwards compromise your phone,
On Tue, May 26, 2009 at 4:15 PM, Till Maas opensou...@till.name wrote:
Since people involved in Fedora are more likely geeks, they
will more likely not have some dumb phone, but some high tech phone that
allows to install custom software.
Don't assume that... Fancy phones cost a lot of money,
29 matches
Mail list logo