Re: otp - the next generation

[Gregory Steuck <greg () NEST CX>]

> > > > > "Lukasz" == Lukasz Luzar <lluzar () DEVELOPERS OF PL> writes:

    Lukasz> The system is the most reliable way of
    Lukasz> secure authorization. It eliminates all disadvantages of a
    Lukasz> typical login/password and any other otp implementations.

These claims are questionable.

    Lukasz> When you want to log into the server from an untrusted
    Lukasz> network, then you send a SMS message with your real login
    Lukasz> and password (e.g. "john 12blah45") in the body of message
    Lukasz> to the GSM phone connected to the server.  When the server
    Lukasz> receive a message, the smsotpd daemon process the request in
    Lukasz> the following steps: 1.Checks if the user is permitted to
    Lukasz> authorize from the phone number (checks /etc/smsotp.access
    Lukasz> file),

This is the part the whole authentication mechanism depends on. You made
at least 2 assumptions here:

1) GSM phone network is secure between the endpoints (phones) and can
   not be sniffed.

2) SMS source address can not be forged.

I am pretty sure that both assumptions are wrong. Phone company (or
companies, I don't know how the messages are routed) will most certainly
be able to sniff your messages and forge the source address.

So, what you are proposing boils down to replacing an open network (the
Internet) with some closed phone company network. I don't trust my phone
company any more than my ISP. Do you?

Thanks
Greg