Or, a user could generate OTP passwords from a program running on a PDA. For instance, a user could associate a cell phone number with the account then, when logging in, the system could send the OTP in a text message. This basic scenario leads to endless variations.
Squirrelmail authenticated user password#
For the next login, the user will enter the next OTP on the password list.īy forcing the user to authenticate through a pair of dissimilar mechanisms, two-factor authentication provides a much more secure alternative for web login.
After this login, the OTP is immediately invalidated for future use, which means it will never be used for a replay attack. If this initial authentication is successful, the server poses a challenge that requires a response with the correct corresponding OTP. From a cafe in Amsterdam, for example, the user can now enter a conventional username and password. If the site doesn't mind electronic transmission within its trusted domains, the admin might fax or even email the list to the user. This password list now becomes something the user possesses – the second factor – and because it was never transmitted electronically, it provides an added level of security. The list is then hand delivered to the user. Imagine that a help desk technician with administrative privileges for a website hits an administrative page that generates a wallet-sized list of 30 OTP number/key pairs. If implemented correctly, it provides a cost-effective, two-factor authentication solution for websites. RFC 2289 defines an OTP system derived from Bellcore S/KEY technology (RFC 1760).
Squirrelmail authenticated user how to#
In this article, I describe how to add the security of OTPs to your website. The November 2008 issue of Linux Magazine offered an introduction to OTPs that focused primarily on workstation authentication however, tasks like checking a bank account from an untrusted network scream for some form of two-factor authentication, and an OTP system is often a practical solution.
In addition, tokens have to be synced with special server software, which can often require a proprietary license.Ī less expensive and more scalable alternative for two-factor authentication on the web is a one-time password (OTP) system. Requiring users to obtain a hardware token on their own is too much work for the vast majority of users. A company might be able to afford tokens for 1,000 users, but one good blog post and they could find themselves with 30,000 new users overnight. Distributing these tokens to users is neither cost effective nor scalable in price. Almost all web-based, two-factor authentication solutions available today involve some form of hardware token, such as the RSA SecurID. "Something the user possesses" is the best second factor for authentication. The third option is usually some sort of biometric – not a good choice for the web environment. Passwords are used everyday for a multitude of purposes.
Something the user possesses (smartcard, PKI certificates, RSA SecurID).Something the user knows (password or pin).Two factors, as opposed to one factor, will deliver a higher level of authentication assurance. Two-factor authentication is a system in which two different factors are used in combination to authenticate a user.
0 kommentar(er)
