Sure; in these scenarios the third key only serves the role of defending
against loss (which is great, don't get me wrong, I agree).
The problem with mobile-as-second-factor is that any networked device is
probably too vulnerable to really play the role well. Malware just has to
cross from your laptop to your mobile, so yes two devices have to be
compromised, but not independently.



On Tue, Dec 10, 2013 at 1:13 PM, jaume <jaume@???> wrote:

>
> >>If your OS is compromised, then you're already fucked.
> >
> > There's a nuance here, right. In my opinion, however much I hate banks, I
> > think over the last few years they have got this right. 2FA is a solution
> > to the OS compromise issue, BUT it doesn't work if the second factor is
> on
> > the same machine,
>
> 2FA for non-trivial quantities seems nice. I like the idea of using
> two-out-of-three signatures. Does it make sense to keep one private key in
> the laptop, one in the mobile phone and one in a safe? The user creates
> and signs the transaction using the laptop, then this information is
> transmitted using one or more QR-codes to the mobile phone. The mobile
> phone adds a second signature and broadcasts the transaction with the two
> signatures.
>
> Now the attacker has to compromise two devices to get access to the funds
> ...
>
> Cheers!
> Jaume
>
> _______________________________________________
> unSYSTEM mailing list: http://unsystem.net
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/unsystem
>