[WEB SECURITY] New two-stage login procedure

Nick Owen nowen at wikidsystems.com
Wed Dec 13 13:05:15 EST 2006

And it would still be susceptible to a MITM attack, like all 2FA schemes
focused solely on session auth.

Here is my question:  Is it possible to do strong mutual authentication
without using cryptography?  Are the FIs fooling themselves to think


Brian Eaton wrote:
> On 12/13/06, Esteban Ribičić <kisero at gmail.com> wrote:
>> a smarter would be:
>> 1) user calls from a defined number (mobile) to a pbx
>> 2) pbx checks any and ask for a code
>> 3) pbx replies with a token
>> user logs with this normal credentials (bank account and password) +
>> token +
>> "common pool of questions".
>> its not expensive...asterisk can do it.
> Caller ID spoofing seems like a problem with this system:
> http://www.securityfocus.com/news/9822
> Regards,
> Brian

Nick Owen
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication

The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list