Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Gregory Steuck (gregNEST.CX)
Date: Thu Mar 22 2001 - 17:46:44 CST
>>>>> "Lukasz" == Lukasz Luzar <lluzarDEVELOPERS.OF.PL> writes:
Lukasz> The system is the most reliable way of
Lukasz> secure authorization. It eliminates all disadvantages of a
Lukasz> typical login/password and any other otp implementations.
These claims are questionable.
Lukasz> When you want to log into the server from an untrusted
Lukasz> network, then you send a SMS message with your real login
Lukasz> and password (e.g. "john 12blah45") in the body of message
Lukasz> to the GSM phone connected to the server. When the server
Lukasz> receive a message, the smsotpd daemon process the request in
Lukasz> the following steps: 1.Checks if the user is permitted to
Lukasz> authorize from the phone number (checks /etc/smsotp.access
This is the part the whole authentication mechanism depends on. You made
at least 2 assumptions here:
1) GSM phone network is secure between the endpoints (phones) and can
not be sniffed.
2) SMS source address can not be forged.
I am pretty sure that both assumptions are wrong. Phone company (or
companies, I don't know how the messages are routed) will most certainly
be able to sniff your messages and forge the source address.
So, what you are proposing boils down to replacing an open network (the
Internet) with some closed phone company network. I don't trust my phone
company any more than my ISP. Do you?