[Info-vax] Two-Factor Authentication

[Michael Moroney]

VAXman-  @SendSpamHere.ORG writes:


>>web app: password + client certificate *or* password + text message with 
>>pin (either via email to text gateway or an text messaging provider 
>>offering a web service API)

>Many web sites are doing this and I discussed this method with party interested
>in implementing 2FA yesterday.  By bank is now doing this OTP pin authentication
>which I, personally, find extremely annoying.  The email route can often be very
>long in which case the OTP pin is expired and I don't have a phone that receives
>SMS.  The whole phone thing seem problematic, especially if it's a mobile phone
>and the user is outside of cell service.

Plus thieves are hijacking cell phone 2FA by getting the number transferred to 
their own phone by replacing/"updating" the SIM card associated with that 
number. They mostly use this to steal bitcoin from accounts where they already 
know or have cracked the password.