Shostack + Friends Blog Archive


From The "Wish I'd Posted That" Files

Gunnar (as usual) has a great post highlighting the lack of a real cohesive strategy in the security products arena and IT security teams losing site of the big picture. In particular, he highlights a comment from Andrew van der Stock about using SMS as an out of band authentication mechanism. Man I wish I’d thought of that…

3 comments on "From The "Wish I'd Posted That" Files"

  • dave says:

    ummmm – is that a new idea? One of our developers implimented that a couple of years back – it made sense to me as an extension of the call-back mechanisim used with dial-up. Someone logs in and the gets a random code sms’d – their cell phone becomes an RSA key in effect.

  • Arthur says:

    Well it’s not so much that it’s a new idea. But both the quality of the description along with the dial-back type functionality made the post rather elegant to my eye.

  • davi says:

    Weird. It’s been in use for many years in the financial industry and I remember working with a similar system a couple years back. Plenty of examples around, and I think it was even a hot topic on schneier’s blog a few months back. Just wondering out loud if there might be some opportunities to avoid reinventing the wheel here.

Comments are closed.