Automatic generation of a website "token" for SSL authenticate on user's first visit on an Apache2 server.

Question

TLDR: I'm looking for a software based two-factor authentication system.

Summary: I am trying to find a solution equivalent to a SSL client side certificate, except that said certificate would optimally be generated at the first connection of the browser to the server.

Long version: I want to automatically generate a security token using a PKCS#11 style authetication system so that when a user uses a certain login-code to a website, that computer can always connect to the user's page (without requiring a username).

I also cannot require PKCS#12 style certificates which require 5-10 steps to install in a client's browser, especially as that certificate installation may be locked down. The goal of this request is to explore the ability for a browser to provide authentic two-factor authentication in a seamless fashion. At present, it seems only sun is talking about PKCS#11 and browser support for client side certs is difficult to explain quickly.

As a caveat, talking about a browser-internal PKCS#11 may be incorrect, or may be a function of PKCS#15. I suspect I'm not asking the right question here. Any suggestions would be appreciated.

Answer 1

You probably mean the KEYGEN tag that generates a key pair on via browser and places the end result in some software store, as you want to generate software certificates on the fly.

Keygen has several problems and shortcomings, like you can't enforce a PIN/password policy and thus have the two-factor properties, and is in fact not a real standard and does not work everywhere.

PKCS#15 is totally out of topic here as it deals with a filesystem format on the smart card that is hidden way below the browser/https/crytpoapi layer.

PKCS#11 only matters with Firefox as IE and Safari both use native platform certificate stores and APIs (CryptoAPI and CDSA/Keychain respectively) internally.