Re: two-factor OTP systems

["Tyler T. Schoenke" <Tyler.Schoenke () COLORADO EDU>]

WARNING: The following message makes use of the word "PASSWORD" and may be an attempt to obtain your password. Texas 
Tech University employees or students should never request password information from you for any reason.  In accordance 
with TTU IT Security Policies (http://www.depts.ttu.edu/infotech/security), you must not reveal your password 
information to anyone.  If you believe that the message below is an attempt to steal your password, forward this 
message to security () ttu edu and do not respond to this message.

Gary,

I agree with you about using cell phones for two-factor authentication.
  I think that is the most practical solution for most vendors.  Like
you said, high-risk environments will want to continue using token
devices.

I recall hearing about China using cell phone text messages to
authenticate credit card transactions.  When someone makes a purchase,
the vendor swipes the card, and the credit card company texts an
authorization code to that person's phone.  They tell the code to the
vendor, who keys it back in to complete the transaction.  So if someone
steals your credit card info, they can't use it without also stealing
your cell phone.

I think the big advantage with text messages is that you can have thirty
higher-risk accounts all sending texts to your cell phone.  That is much
nicer than carrying around thirty tokens.

Tyler

--
Tyler Schoenke
IT Security Office
University of Colorado - Boulder


Gary Flynn wrote:
> jeff murphy wrote:
> > I'm looking for experiences/recommendations on two-factor OTP systems
> > suitable for plugging into RADIUS and/or Active Directory.
> >
> > I'd be particularly interested in systems that can use smartphones as
> > the token generator. Google lead me to:
> >
> > http://www.deepnetsecurity.com/products2/MobileID.asp
> >
> > but I haven't found much else on that front.
>
>
> Did you get any other responses? I'm interested in using
> phones too. I ran across the following a while back but
> I'm getting ready to start looking again...
>
> http://www.phonefactor.com/
> http://motp.sourceforge.net/
>
> There is a lot of stuff on the net now
> http://www.google.com/search?q=cell+phone+authentication&hl=en&start=30&sa=N
>
>
> It seems to me using cellphones that most people carry
> these days as a second factor would do a lot to get
> rid of reusable passwords at a reasonable cost with
> a lot less impact than singe use token devices. This would
> be particularly useful for populations and applications
> where mandating a more traditional two factor system
> where justification was marginal.
>
> I know the cell phone based schemes aren't as strong as
> traditional 2-factor but if they're more likely to be
> implemented and stop 98% of the problems with reusable
> passwords, what's not to like? Stronger methods can be
> reserved for those applications where that 2% poses a
> high risk.
>
> Heck, even I finally broke down and got a cell phone
> a couple years ago when I said I never would. Now
> I'm looking for a smart phone (actually a mobile
> computer with voice capabilities). :)