I'm trying to implement 2 factor authentication on the cheap. How would I do that?

Question

Ok so I need 2 of the 3.

Something the user knows.
Something the user has.
Something the user is.

I have a system that is exposed to the internet and we need clients to connect in a secure manner to satisfy our security standards.

I'm thinking when a user registers to use our system we send them an application that they install on their home system. The application generates a key based on a timed randomness algorithm. Our application server has the same algorithm so when the user submits their credentials with the key we know that they are a legitimate user.

Is this a valid method of 2 factor authentication?

What is another way of doing this?

Are there any pitfalls that I should be aware of?

Thanks for your help!

Answer 1

Yes, this is a valid method of performing two-factor authentication. The token security (the program on the computer) is of course only as safe as the computer is. If its running Windows, all bets are off.

You can also go to RSA or other vendors and license their SecurID (or other brand) tokens, as well as the necessary middleware. Its a validated solution, and at the very least there is someone else to blame.

For time based systems, there is usually an allowed "window" where the token is valid (more than the roll-over point) to allow for time skew. You can also check with an NTP server (using SNTP, simple to implement) to get accurate time information.

As with all security systems, there are numerous pitfalls. They are very hard to get right. Be warned. Buy insurance ;)

Answer 2

Or you could just use an open source solution like ours: http://www.wikidsystems.com/community-version

Answer 3

Why not assign them a certificate in addition to a login / password.

Answer 4

hi biff,

You are look at Software tokens. They will be rightly priced for your need. Or you can look at Clientless tokens - like Voice Call OTP, SMS OTP etc.

You cna look at EZMCOM link text site and go through few options. We have Software tokens for your iPhone, BB, Java Phone Or PC based application for your laptop users.

If you wish to learn more than contact me. I will be glad to assist you in every possible way.

Answer 5

Can you use X.509 client certificates? They're free.

Answer 6

Why not use a phone verification solutions to take the authentication off the internet? This proves a more reliable authentication. I heard a company Telesign does stuff with that, like blocking VOIP numbers. You should check them out and its pretty inexpensive.

Answer 7

The "problem" with the app on the computer, is that it's not something that someone has. It's something "anyone" can have. That app can (potentially) be installed, and reinstalled, and copied, all over the place. Pretty soon the home computer "has" it, the office computer "has" it, the laptop -- the one they just lost, that is -- has it, etc.

So, it's not a singular thing. Same goes with an issued certificate.

Not saying it's totally ineffective, but just that it's not unique, and that can be a potential issue.

A popular "cheap" technique is an SMS message to a cell phone. The person logs in, then the computer sends out an SMS code with, say, 6 digits, to the registered phone number, and then that number needs to be typed in. Obviously, there are issues with this. Not everyone has a cell phone, many are charge for SMS messages, etc. But it can work well in some environments.

Similarly, Voice Response systems can call a user on their phone and "read" the code to them. This can incur phone charges for the company of course.

Answer 8

There is always the option of replacing the expensive key fob with paper containing a list of single-use passcodes. You would still need to roll your own backend to match the passcode generation algorithm (don't forget to provide an easy way for the user to resynchronize when he forgot to cross the last one off, or crossed off one too many), as well as the administrative task of getting the user to collect more paper before a user is stranded in the field without any passcodes left to use.

One example of this is Steve Gibson's Perfect Paper Password system. He's made the specs and algorithms open, and provides a closed-source implementation of his own. Others have built open source implementations. His system may in fact not be perfect, but it is an interesting idea for one way to approach the problem.

Regardless of what system you choose to implement, it will still be worth spending a little money on a review by a security expert...