At Hackers 8.0 a hallway discussion (including Eric Hughes) came up with an amusing variation on these sniff-resistant authentication schemes: use a pager. It goes like this. You telnet from an insecure site to your home system, and type your userid. Instead of prompting you for a password, your system looks up your pager number, dials out to the pager service, and pages you with a random but syntactically valid phone number. Then it prompts you. You receive the page and type that number as your password. Authentication is based on physical posession of the pager, and knowing what userid/machine it corresponds to. A possible attack would be to monitor the pager frequencies and try to snag the number out of the air. Possible defense against this would be to require a special password before the page is generated - an attacker would have to monitor both the network and the radio. Not military grade security, but lots of folks have pagers and could hack together something like this in a day or so. --- Jef