[WEB SECURITY] New two-stage login procedure

Nick Owen nowen at wikidsystems.com
Wed Dec 13 13:05:15 EST 2006


And it would still be susceptible to a MITM attack, like all 2FA schemes
focused solely on session auth.

Here is my question:  Is it possible to do strong mutual authentication
without using cryptography?  Are the FIs fooling themselves to think
otherwise?

nick

Brian Eaton wrote:
> On 12/13/06, Esteban Ribičić <kisero at gmail.com> wrote:
>> a smarter would be:
>>
>> 1) user calls from a defined number (mobile) to a pbx
>> 2) pbx checks any and ask for a code
>> 3) pbx replies with a token
>>
>> user logs with this normal credentials (bank account and password) +
>> token +
>> "common pool of questions".
>>
>> its not expensive...asterisk can do it.
> 
> Caller ID spoofing seems like a problem with this system:
> 
> http://www.securityfocus.com/news/9822
> 
> Regards,
> Brian

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list