the limits of crypto and authentication

dan at geer.org dan at geer.org
Sat Jul 9 18:24:22 EDT 2005


Florian Weimer writes:
 | 
 | >>It would seem simple to thwart such a trojan with strong authentication
 | >>simply by requiring a second one-time passcode to validate the
 | >>transaction itself in addition to the session.
 | >>
 | >
 | > How does the user know which transaction is really being authenticated?
 | 
 | You send the pass code in an SMS to the user's mobile phone, together
 | with some information on the transaction.  (If the SMS delay is a
 | problem, use a computer-generated phone call.)  The pass code is then
 | entered by the user to authorize the transaction.


[ Disclaimer -- I advise this company ]

Take a look at Boojum Mobile -- it is
precisely the idea of using the cell
phone as an out-of-band chanel for an
in-band transaction.

http://www.boojummobile.com

[ Disclaimer -- I advise this company ]

--dan




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list