[WEB SECURITY] New two-stage login procedure
Nick Owen
nowen at wikidsystems.com
Wed Dec 13 13:05:15 EST 2006
And it would still be susceptible to a MITM attack, like all 2FA schemes
focused solely on session auth.
Here is my question: Is it possible to do strong mutual authentication
without using cryptography? Are the FIs fooling themselves to think
otherwise?
nick
Brian Eaton wrote:
> On 12/13/06, Esteban Ribičić <kisero at gmail.com> wrote:
>> a smarter would be:
>>
>> 1) user calls from a defined number (mobile) to a pbx
>> 2) pbx checks any and ask for a code
>> 3) pbx replies with a token
>>
>> user logs with this normal credentials (bank account and password) +
>> token +
>> "common pool of questions".
>>
>> its not expensive...asterisk can do it.
>
> Caller ID spoofing seems like a problem with this system:
>
> http://www.securityfocus.com/news/9822
>
> Regards,
> Brian
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list