Re: [WEB SECURITY] thoughts on two-factor web authentication?

[Nick Owen <nowen@xxxxxxxxxxxxxxxx>]

Dave Hull wrote:
> On Mon, Nov 10, 2008 at 2:22 PM, Nick Owen <nowen@xxxxxxxxxxxxxxxx> wrote:
>> Just be aware of what you are relying on and the security implications
>> of that.  For example, cell carriers have different incentives regarding
>> protection of their accounts.  It is worthwhile for them to have lax
>> password reset systems to avoid helpdesk calls because of the size of
>> the user base.  See
>> http://consumerist.com/376845/flawed-security-lets-sprint-accounts-get-easily-hijacked%22
> 
> Good point. It's good to carefully consider the external dependencies,
> but in the case of PhoneFactor, using the techniques in the article to
> gain access to someone's cell phone is not necessarily going to
> overcome the security of using the phone as an out of band
> authentication method. A company that deploys PhoneFactor can require
> that the callee enters a PIN of customizable length. So just because
> an attacker has taken my phone and gained access to it and my provider
> account, does not mean that he knows the PIN that's required when it
> is called for AuthN/Z.

What does PhoneFactor use to make the calls? Skype?


-- 
Nick Owen
WiKID Systems, Inc.
404-962-8983 (desk)
http://www.wikidsystems.com
Commercial/Open-source Two-Factor Authentication

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA