[17752] in cryptography@c2.net mail archive
Re: the limits of crypto and authentication
daemon@ATHENA.MIT.EDU (dan@geer.org)
Sat Jul 9 23:37:20 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: dan@geer.org
To: cryptography@metzdowd.com
In-Reply-To: Your message of "Sat, 09 Jul 2005 20:38:38 +0200."
<87ackv964x.fsf@deneb.enyo.de>
Date: Sat, 09 Jul 2005 18:24:22 -0400
Florian Weimer writes:
|
| >>It would seem simple to thwart such a trojan with strong authentication
| >>simply by requiring a second one-time passcode to validate the
| >>transaction itself in addition to the session.
| >>
| >
| > How does the user know which transaction is really being authenticated?
|
| You send the pass code in an SMS to the user's mobile phone, together
| with some information on the transaction. (If the SMS delay is a
| problem, use a computer-generated phone call.) The pass code is then
| entered by the user to authorize the transaction.
[ Disclaimer -- I advise this company ]
Take a look at Boojum Mobile -- it is
precisely the idea of using the cell
phone as an out-of-band chanel for an
in-band transaction.
http://www.boojummobile.com
[ Disclaimer -- I advise this company ]
--dan
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
