One Time Passwords for Web Apps

I recently did some traveling through Europe, and as I did I encountered my fair share of Internet cafe's and sketchy net connections. In the Internet cafe's I worried about keyloggers, screen capture utilities and rootkits. On the sketchy net connections in hotels I was primarily concerned about sniffers on the wire. In all, I got to thinking about one time passwords for web applications, and why they seemingly don't exist. One of the things I started thinking was, many people have a cell phone. Why not replace your SecurID card with a cell phone? When you go to log onto a site from an untrusted location, have an option where users can check a box and enter in a pin instead of their password. Once successfully entered, a user receives a text message with a one time password they can use for a short duration of time. The user then uses their pin, along with the one time password to gain access to the site. This would be easy and inexpensive to implement as a web service that you could offer to third parties, so why has no one tackled this problem? If you know, let me know.


Back from Defcon

I spent this past weekend at Defcon 15. This is my 8th year going to Defcon and the conference keeps getting better. I got to meet up with some people I haven't seen in a few years so that was excellent. This year I mostly went to non-technical tracks, I went to what I would consider 'geek' tracks. My favorites were: I got some great info from the "Hardware Hacking for Software Geeks" talk. I'm planning on building a micro-controller driven camera that acquires location via GPS and submits photos via Bluetooth. This probably already exists, but it should be fun to build. Wikimapia is also a really cool site. Highlights of the weekend included the first Defcon wedding and an undercover reporter being outed.