On 01/02/11 20:02, Marsh Ray wrote:
Whether or not client certs count as a second factor is somewhat philosophical. In some sense, the private key stored in the browser functions as another "something you know" like a password. If the PC is pwned, they can get the private key too.
If your computer is pwned, you have lost. So I'm not worried about the disadvantages of client certs from that perspective. I'm more worried about their possible usability issues.
Those accounts would probably have to access a particular URL and be banned from the main one. May or may not be an issue.
It is. Telling some people to use a different Bugzilla URL is not an option. It breaks the handing-round of links.
Oooh oooh I do! I work at PhoneFactor (phonefactor.com). We use any ordinary phone as the second factor and can integrate with nearly anything. Most people already have cell phones, which can save a lot of deployment pain.
We have contributors in almost every country in the world (although perhaps not every country will need this because we don't have security hackers everywhere). How do you deal with the international calls issue?
We also have a PhoneFactor Agent that runs on MS Windows, but of course not everyone has that as part of their backend systems.
This is a necessary back end piece?
Sorry if this sounds all sales-y. I'm really just a developer and hacker. But I do love to discuss this subject.
I'm happy to hear about possible solutions :-) Gerv -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
