-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Dec 02, 2005 at 11:35:16AM -0600, Frank Knobbe wrote: > At the end of the day, one-time-passwords for login *and* transactions > are probably the only real solution to prevent replay and mitm attacks > (the latter using OTP hashed transactions).
Actually, there is always the possibility of out-of-band authentication. Here is a scenary I've encountered before: 1) You get to the login screen 2) The login screen will give you a code 3) You get the phone, dial a number, and enter the code provided, along with some other information 4) The system authenticates you out of band 5) You simply click "continue" on the login screen There are other possible scenaries, of course, but this is just one I've seen once. []s - -- Rodrigo Barbosa <[EMAIL PROTECTED]> "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDkIyJpdyWzQ5b5ckRAh9lAJsF6pCRCYI1E0U5cxF/BHeV+Kou4ACgt6jd JfyyCsb8IkYYOrFMX2PVw/o= =RgHh -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/