Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm a pretty big fan of the rolling token 2-factor authentication model, with the app on your phone presenting you the rolling token. The Blizzard login app is the biggest single example that comes to mind. SMS really isn't secure, I think something like this could be a good next step to phase in.


This is the same design as RSA SecurID: http://en.wikipedia.org/wiki/SecurID

I had no idea you could also do Google's two factor auth with SMS messages. That seems really flaky.


This is the same as the Google Authenticator app that people are talking about.


The thing that bugs me about this model is that it's not challenge-response, so someone can play man-in-the-middle.

While it's possible to hijack someone's phone number, as demonstrated, it requires a relatively high amount of effort per target. Whereas if you compromise a network segment somewhere (with DNS and a rogue SSL cert or whatever you need), you could just sit there, farming authentication cookies. Have your MitM check the "authenticate this computer for 30 days" checkbox and you've got a nice little collection to work with.


Are you familiar with methods that are resilient in the face of MitM attacks?


How would this help preventing the situation described in the article?


it does not rely on the phone companies, rather an app from blizzard




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: