From: Jef Poskanzer <jef@ee.lbl.gov>
Date: Thu, 18 Nov 93 12:34:32 PST
To: cypherpunks@toad.com
Subject: Re: hohocon
Message-ID: <9311182033.AA25177@ace.ee.lbl.gov>
MIME-Version: 1.0
Content-Type: text/plain


At Hackers 8.0 a hallway discussion (including Eric Hughes) came up
with an amusing variation on these sniff-resistant authentication schemes:
use a pager.  It goes like this.  You telnet from an insecure site to your
home system, and type your userid.  Instead of prompting you for a
password, your system looks up your pager number, dials out to the pager
service, and pages you with a random but syntactically valid phone
number.  Then it prompts you.  You receive the page and type that
number as your password.

Authentication is based on physical posession of the pager, and knowing
what userid/machine it corresponds to.  A possible attack would be
to monitor the pager frequencies and try to snag the number out of
the air.  Possible defense against this would be to require a special
password before the page is generated - an attacker would have to monitor
both the network and the radio.

Not military grade security, but lots of folks have pagers and could
hack together something like this in a day or so.
---
Jef