Revision as of 00:06, 29 May 2016 edit 174.119.121.9 (talk) →Mobile phone two-factor authentication Tags: Mobile edit Mobile web edit ← Previous edit		Revision as of 14:49, 31 May 2016 edit undo Fish and karate (talk \| contribs) Autopatrolled, Administrators 36,496 edits m Undid revision 722565576 by 174.119.121.9 (talk) - edit inserted bag drammar Next edit →
Line 20: The major drawback of authentication performed using something that the user possesses and one other factor is that the plastic token used (the USB stick, the bank card, the key or similar) must be carried around by the user at all times. And if this is stolen or lost, or if the user simply does not have it with him or her, access is impossible. There are also costs involved in procuring and subsequently replacing tokens of this kind. In addition, there are inherent conflicts and unavoidable [http://eprint.iacr.org/2014/135.pdf trade-offs] between usability and security. Mobile phone two-factor authentication was developed to provide an alternative method that would avoid such issues. This approach uses mobile devices such as mobile phones and smartphones to serve as "something that the user possesses". If users ~~wants~~want to authenticate themselves, they can use their personal access license (i.e. something that only the individual user knows) plus a one-time-valid, dynamic passcode consisting of digits. The code can be sent to their mobile device by [[SMS]] or via a special app. The advantage of this method is that there is no need for an additional, dedicated token, as users tend to carry their mobile devices around at all times anyway. Some professional two-factor authentication solutions also ensure that there is always a valid passcode available for users. If the user has already used a sequence of digits (passcode), this is automatically deleted and the system sends a new code to the mobile device. And if the new code is not entered within a specified time limit, the system automatically replaces it. This ensures that no old, already used codes are left on mobile devices. For added security, it is possible to specify how many incorrect entries are permitted before the system blocks access.{{Citation needed \|date=May 2016}} Security of the mobile-delivered security tokens fully depends on the mobile operator's operational security and can be easily breached by wiretapping or [[SIM cloning\|SIM-cloning]] by national security agencies.<ref>{{Cite web\|url=https://www.bellingcat.com/news/2016/04/30/russia-telegram-hack/\|title=How Russia Works on Intercepting Messaging Apps - bellingcat\|date=2016-04-30\|website=bellingcat\|language=en-US\|access-date=2016-04-30}}</ref>

Two-factor authentication: Difference between revisions