[WEB SECURITY] New two-stage login procedure

Brian Eaton eaton.lists at gmail.com
Wed Dec 13 15:21:00 EST 2006


On 12/13/06, James Landis <jcl24 at cornell.edu> wrote:
> The PIN plus alternate channel process (e.g. cell phone text message) needs
> to require a valid PIN _before_ generating the text message with the second
> PIN for authentication. Otherwise, text spamming is possible. While this can
> be limited to one spam per user, that could still add up to a lot of spam.

Humph.  This is an unfortunate choice to have to make.

If you make someone give up the PIN before you send the text message,
phishers have an easier time stealing PINs.

If you send the text message first, pranksters can annoy your end users.

I might go ahead and send the text message first, on the grounds that
pranksters won't find this prank all that amusing, whereas phishers
may be strongly motivated.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list