http://www.phonefactor.com/blog/public-hotspots-and-phonefactor.php Two-Factor Authentication Without Tokens Thu, 05 Nov 2009 18:42:19 +0000 hourly 1 http://wordpress.org/?v=abc http://www.phonefactor.com/blog/public-hotspots-and-phonefactor.php/comment-page-1#comment-20 Soren Dreijer Sun, 02 Dec 2007 12:42:18 +0000 http://blog.phonefactor.net/?p=32#comment-20 I think another issue here is that an attacker could just use the stolen credentials for something else that isn't PhoneFactored. Many users these days use the same password for multiple web-services (I wonder when it becomes standard practice to use an online password storage), so even though you are greatly reducing the risk that an attacker impersonates you for some services, your credentials have *still* been stolen and can be used a great deal of other places. Here's an interesting thought: say all the applications you mentioned in your previous post (e.g. IM, Skype, E-mail) were using PhoneFactor. When the user logs on to his computer his phone would ring like 20 times and some of the applications would probably fail to authenticate since they are trying to call your phone at the same time. I think another issue here is that an attacker could just use the stolen credentials for something else that isn’t PhoneFactored. Many users these days use the same password for multiple web-services (I wonder when it becomes standard practice to use an online password storage), so even though you are greatly reducing the risk that an attacker impersonates you for some services, your credentials have *still* been stolen and can be used a great deal of other places.
Here’s an interesting thought: say all the applications you mentioned in your previous post (e.g. IM, Skype, E-mail) were using PhoneFactor. When the user logs on to his computer his phone would ring like 20 times and some of the applications would probably fail to authenticate since they are trying to call your phone at the same time.

]]>