[WEB SECURITY] New two-stage login procedure

Esteban Ribičić kisero at gmail.com
Wed Dec 13 12:21:06 EST 2006


the problem with the sms is they might not reach destination due third party
problems (carrires, etc) i used that as a token for my company vpn system...

a smarter would be:

1) user calls from a defined number (mobile) to a pbx
2) pbx checks any and ask for a code
3) pbx replies with a token

user logs with this normal credentials (bank account and password) + token +
"common pool of questions".

its not expensive...asterisk can do it.

my 5p


On 12/13/06, Brian Eaton <eaton.lists at gmail.com> wrote:
>
> On 12/13/06, Brian Eaton <eaton.lists at gmail.com> wrote:
> > They ask for three digits, so there
> > are 1000 possibilities.
>
> <blush>
>
> I can't count.  They ask for three digits, but order doesn't matter.
> Assuming they won't ask for you to enter the same digit multiple
> times, there are 120 possibilities, not 1000.
>
> Whoops.
>
> Regards,
> Brian
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061213/cc2220eb/attachment.html>


More information about the websecurity mailing list