Re: two-factor OTP systems

[Matthew Dalton <daltonm () OHIO EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

Has anyone explored Phone Factor (www.phonefactor.com) for this purpose?
 It has many of these advantages, but I don't know enough about it to
get a good measure of the risks.

- --
Matthew Dalton
Director of Information Security
Office of Information Technology
Ohio University
Phone: 740-597-1914

Tyler T. Schoenke wrote:
> Gary,
>
> I agree with you about using cell phones for two-factor authentication.
>   I think that is the most practical solution for most vendors.  Like
> you said, high-risk environments will want to continue using token
> devices.
>
> I recall hearing about China using cell phone text messages to
> authenticate credit card transactions.  When someone makes a purchase,
> the vendor swipes the card, and the credit card company texts an
> authorization code to that person's phone.  They tell the code to the
> vendor, who keys it back in to complete the transaction.  So if someone
> steals your credit card info, they can't use it without also stealing
> your cell phone.
>
> I think the big advantage with text messages is that you can have thirty
> higher-risk accounts all sending texts to your cell phone.  That is much
> nicer than carrying around thirty tokens.
>
> Tyler
>
> --
> Tyler Schoenke
> IT Security Office
> University of Colorado - Boulder
>
>
> Gary Flynn wrote:
> > jeff murphy wrote:
> > > I'm looking for experiences/recommendations on two-factor OTP systems
> > > suitable for plugging into RADIUS and/or Active Directory.
> > >
> > > I'd be particularly interested in systems that can use smartphones as
> > > the token generator. Google lead me to:
> > >
> > > http://www.deepnetsecurity.com/products2/MobileID.asp
> > >
> > > but I haven't found much else on that front.
> >
> > Did you get any other responses? I'm interested in using
> > phones too. I ran across the following a while back but
> > I'm getting ready to start looking again...
> >
> > http://www.phonefactor.com/
> > http://motp.sourceforge.net/
> >
> > There is a lot of stuff on the net now
> > http://www.google.com/search?q=cell+phone+authentication&hl=en&start=30&sa=N
> >
> >
> > It seems to me using cellphones that most people carry
> > these days as a second factor would do a lot to get
> > rid of reusable passwords at a reasonable cost with
> > a lot less impact than singe use token devices. This would
> > be particularly useful for populations and applications
> > where mandating a more traditional two factor system
> > where justification was marginal.
> >
> > I know the cell phone based schemes aren't as strong as
> > traditional 2-factor but if they're more likely to be
> > implemented and stop 98% of the problems with reusable
> > passwords, what's not to like? Stronger methods can be
> > reserved for those applications where that 2% poses a
> > high risk.
> >
> > Heck, even I finally broke down and got a cell phone
> > a couple years ago when I said I never would. Now
> > I'm looking for a smart phone (actually a mobile
> > computer with voice capabilities). :)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknVFMkACgkQVKUofGqW+tyVTACg3DRMkUg2euMwwCwADgLEAdfF
ySkAoLm/JCurQV5K+/DocIXTVpNp0dWF
=lSq3
-----END PGP SIGNATURE-----