[WEB SECURITY] New two-stage login procedure
Esteban Ribičić
kisero at gmail.com
Wed Dec 13 12:21:06 EST 2006
the problem with the sms is they might not reach destination due third party
problems (carrires, etc) i used that as a token for my company vpn system...
a smarter would be:
1) user calls from a defined number (mobile) to a pbx
2) pbx checks any and ask for a code
3) pbx replies with a token
user logs with this normal credentials (bank account and password) + token +
"common pool of questions".
its not expensive...asterisk can do it.
my 5p
On 12/13/06, Brian Eaton <eaton.lists at gmail.com> wrote:
>
> On 12/13/06, Brian Eaton <eaton.lists at gmail.com> wrote:
> > They ask for three digits, so there
> > are 1000 possibilities.
>
> <blush>
>
> I can't count. They ask for three digits, but order doesn't matter.
> Assuming they won't ask for you to enter the same digit multiple
> times, there are 120 possibilities, not 1000.
>
> Whoops.
>
> Regards,
> Brian
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061213/cc2220eb/attachment.html>
More information about the websecurity
mailing list