Security and Cryptography
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
User Name:
Password:
Remember me
Go Back   Dev Shed ForumsSystem AdministrationSecurity and Cryptography
Reload this Page

two-factor security model for a web-site

Discuss two-factor security model for a web-site in the Security and Cryptography forum on Dev Shed.
two-factor security model for a web-site Security and Cryptography forum discussing issues related to coding, server applications, network protection, data protection, firewalls, ciphers and the like.

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
« Previous Thread | Next Thread »  
Thread Tools Search this Thread Rate Thread Display Modes
 
Unread Dev Shed Forums Sponsor:
  #1  
Old April 21st, 2004, 04:08 AM
budda's Avatar
budda budda is offline
m4d 5k1llz
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Feb 2003
Location: Lymm, UK
Posts: 79 budda User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 6
Red face two-factor security model for a web-site
I've been asked to look in to the possibility of implementing a two-factor security model for a web application.

It has been suggested that a USB dongle (or something similar) is used to verify the user before they enter the website.

Does anybody have experiences of such an application and how did they go about achiving it?

I am looking to use PHP for the web application side of it. I see it would be likely that some sort of client side applet would need to run to communicate with a USB dongle? Maybe Java?

I'd appreciate any advice, comments, product suggestions.

Thanks.
Reply With Quote
  #2  
Old April 21st, 2004, 01:13 PM
M.Hirsch M.Hirsch is offline
Contributing User
Dev Shed God 1st Plane (5500 - 5999 posts)
  
Join Date: Oct 2000
Location: Back in the real world.
Posts: 5,969 M.Hirsch User rank is First Lieutenant (10000 - 20000 Reputation Level)M.Hirsch User rank is First Lieutenant (10000 - 20000 Reputation Level)M.Hirsch User rank is First Lieutenant (10000 - 20000 Reputation Level)M.Hirsch User rank is First Lieutenant (10000 - 20000 Reputation Level)M.Hirsch User rank is First Lieutenant (10000 - 20000 Reputation Level)M.Hirsch User rank is First Lieutenant (10000 - 20000 Reputation Level)M.Hirsch User rank is First Lieutenant (10000 - 20000 Reputation Level)M.Hirsch User rank is First Lieutenant (10000 - 20000 Reputation Level) 
Time spent in forums: 1 Month 1 Day 22 h 42 m 50 sec
Reputation Power: 185
If you want to implement your own scheme for authentication, you would have to write a plugin for the browser which all users have to install.

But there is already a pre-made solution: SSL. SSL supports not only server authentication but also client auth.
If you want the users to take their key with them, you can put the client certificate on the usb stick (or a chip card or floppy disk... they are all equally "secure").

There is docs out there on the 'net, but I could not find anything quickly. Look for the SSL howto on http://tldp.org or something.

HTH,
M.
__________________
--
Manuel Hirsch - Linux, FreeBSD, programming, administration articles, tutorials and more.
Reply With Quote
  #3  
Old April 21st, 2004, 01:26 PM
budda's Avatar
budda budda is offline
m4d 5k1llz
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Feb 2003
Location: Lymm, UK
Posts: 79 budda User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 6
Installing a custom certificate on each machine a person uses could be messy. Plus is it allowed on machines which may be used in Government or a cybercafe?

I will get somebody to look more in to this suggestion.

The problem is the clients are mobile, and would need to log in to the web-application from any possible Internet terminal.

One idea was something like the RSA SecureID. However their product is very expensive.

A similar system could be achieved using mobile phones and SMS maybe. But then there is the cost of the sending of an SMS from the server.
Reply With Quote
  #4  
Old September 28th, 2004, 11:17 AM
infozone443com infozone443com is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Sep 2004
Posts: 1 infozone443com User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
2FactorSMS
Try the new 2FactorSMS component from www.zone443.com. This product is designed for Microsoft websites and provides a means of sending one-time passwords to mobile phones via SMS messages. The beta version of 2FactorSMS supports over 400 mobile phone networks in over 150 countries around the world.

As you said, the message cost will come into account, but the initial setup cost is extremely low.

Cheers,
Craig.
Reply With Quote
Reply

Viewing: Dev Shed ForumsSystem AdministrationSecurity and Cryptography > two-factor security model for a web-site

« Previous Thread | Next Thread »

Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Linear Mode Linear Mode
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump


Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 





© 2003-2008 by Developer Shed. All rights reserved. DS Cluster 6 hosted by Hostway
Stay green...Green IT