the limits of crypto and authentication
dan at geer.org
dan at geer.org
Sat Jul 9 18:24:22 EDT 2005
Florian Weimer writes:
|
| >>It would seem simple to thwart such a trojan with strong authentication
| >>simply by requiring a second one-time passcode to validate the
| >>transaction itself in addition to the session.
| >>
| >
| > How does the user know which transaction is really being authenticated?
|
| You send the pass code in an SMS to the user's mobile phone, together
| with some information on the transaction. (If the SMS delay is a
| problem, use a computer-generated phone call.) The pass code is then
| entered by the user to authorize the transaction.
[ Disclaimer -- I advise this company ]
Take a look at Boojum Mobile -- it is
precisely the idea of using the cell
phone as an out-of-band chanel for an
in-band transaction.
http://www.boojummobile.com
[ Disclaimer -- I advise this company ]
--dan
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list