the limits of crypto and authentication
Steven M. Bellovin
smb at cs.columbia.edu
Sat Jul 9 11:45:35 EDT 2005
In message <42CFEE6E.1080607 at wikidsystems.com>, Nick Owen writes:
>It would seem simple to thwart such a trojan with strong authentication
>simply by requiring a second one-time passcode to validate the
>transaction itself in addition to the session.
>
How does the user know which transaction is really being authenticated?
(I alluded to this in a 1997 panel session talk; see
http://www.cs.columbia.edu/~smb/talks/ncsc-97/index.htm )
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list