[Info-vax] Two-Factor Authentication
Arne Vajhøj
arne at vajhoej.dk
Wed Oct 23 20:21:47 EDT 2019
On 10/23/2019 11:16 AM, Michael Moroney wrote:
> VAXman- @SendSpamHere.ORG writes:
>>> web app: password + client certificate *or* password + text message with
>>> pin (either via email to text gateway or an text messaging provider
>>> offering a web service API)
>
>> Many web sites are doing this and I discussed this method with party interested
>> in implementing 2FA yesterday. By bank is now doing this OTP pin authentication
>> which I, personally, find extremely annoying. The email route can often be very
>> long in which case the OTP pin is expired and I don't have a phone that receives
>> SMS. The whole phone thing seem problematic, especially if it's a mobile phone
>> and the user is outside of cell service.
>
> Plus thieves are hijacking cell phone 2FA by getting the number transferred to
> their own phone by replacing/"updating" the SIM card associated with that
> number. They mostly use this to steal bitcoin from accounts where they already
> know or have cracked the password.
It is a possibility.
But the claim is not that password+text is 100% secure just that
it is more secure than password alone.
Arne
More information about the Info-vax
mailing list