Twitter's Two-Factor Authentication System
Source: Schneier on Security - Posted by Dave Wreski   
Cryptography Twitter just rolled out a pretty nice two-factor authentication system using your smart phone as the second factor: The new two-factor system works like this. A user enrolls using the mobile app, which generates a 2048-bit RSA keypair. The private key lives on the phone itself, and the public key is uploaded to Twitter’s server. When Twitter receives a new login request with a username and password, the server sends a challenge based on a 190-bit, 32 character random nonce, to the mobile app -- along with a notification that gives the user the time, location, and browser information associated with the login request. The user can then opt to approve or deny this login request. If approved, the app replies to a challenge with its private key, relays that information back to the server. The server compares that challenge with a request ID, and if it authenticates, the user is automatically logged in.

Read this full article at Schneier on Security

Only registered users can write comments.
Please login or register.

Powered by AkoComment!