-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
One of the suggestions that has been talked about for using a public,
unsecured terminal may also be feasible in certain circumstances.
1) User sends authentication request
2) Server text message's the user's phone with a one-time-use code
3) User finalizes the authentication by entering the one-time-use code
The user's password could always be the same and you could avoid complicated
algorithms that require reliance on a one-way hash that may or may not be
broken in the near future (SHA-1 anyone?). The drawback is that the user
must have a cell phone with text messaging and the user must wait a few
minutes before authenticating. For off-site corporate access this is a good
idea. For portal services such as provided by Yahoo! this is a bad idea
because it drives users away.
- -Joseph Miller
On Sunday 19 June 2005 12:15 am, james wrote:
Two-factor authentication (authenticating user with something they know AND
something they possess) is becoming more and more popular due to increasing
security requirements and the prevalence of spyware software. However, in
open source projects, solutions such as RSA securID, smartcards, etc. are
not always feasible because of funding, licensing, or other constraints.
Here is a complete, standards-based, open source, no-hardware solution.
Here is a PHP implementation for generating, challenging, and
authenticating one-time passwords according to RFC 2289. (go to
http://www.dcphp.com/Developers/files/otp_pub.zip to download) Below are
two scenarious for OTP use.
Scenario A:
Users across an organization need access to corporate resources at home, on
the road, in airplanes, etc. Users are many (>1000) and geographically
distributed. A user applies for access and is approved. The administrator
prints off a list of one-time passwords and delivers a hard-copy via
physical medium (fax, phone, snail-mail, person-to-person handoff).
Scenario B:
Users self-register for a commercial (or other) website. Once successfully
registered, the user is given the option to generate a list of one-time
passwords and use them for authentication in addition to their
username/password (of course, user can ignore OTP from certain trusted
computers, such as the one they registered from, if they trust it). The
user can generate new OTP's at any time once authenticated.
When the user logs in, they use their username,password, and a
one-time-password (which one depends on which one they are prompted for by
the server). The OTP expires immediately upon authentication. Now, if a
hacker intercepts all three tokens, they are still unable to perform a
replay attack because the third token is already invalidated. Their is a
race condition if they are watching real-time, but this can be accounted
for via transaction locking in the session handling code.
--
the brown cow
--
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCtsd5mXZROF+EADURAoNVAJ0fAxAAykoEeHYxBhrvJsU73Osi3QCfS06t
38le3qLyAr38wl27nqtV2yU=
=kxtp
-----END PGP SIGNATURE-----
