Implementing two-factor authentication into a Java web app

Question

I have an existing Java web application running through IBM WebSphere (I'm unsure of the version, but could find out if it helps) that I am looking to implement two factor authentication with.

The system has a decent user base, and I wanted to distribute hardware tokens to the admin users of the system to ensure strong authentication.

Minimal impact to the end user is desirable, but I'd like to avoid having the admins need to go through a VPN connection.

Does anyone know of any products that provide Java APIs that could be directly integrated into the existing application or other products that will provide a minimal impact? I've already spoken with RSA SecurID, but their system wouldn't integrate directly and would require an infrastructure change. Any other ideas/experience is greatly appreciated.

Answer 1

If you want two-factor authentication via a TLS client-certificate, there are a few hardware cryptographic tokens out there. Java can load a PKCS#11 store out of the box, although some configuration may be required. How much of it is admin configuration vs. application configuration depends on the application (and sometimes on how 'locked' the terminal is w.r.t to inserting a USB token or having a card reader).

There may be alternative solutions, such as One-Time Password tokens (which don't rely on certificates, but on unique passwords instead). This seems less heavy for the users. I must admit I've never tried it, but this project might be interesting: http://directory.apache.org/triplesec/ (There are also hardware OTP keyrings, usually by the same vendors who do RSA cards/USB tokens).

Answer 2

hi,

we have the needed solution you are looking for?

please can you drop me an email on [email protected] Or share your email id.

I will be glad to assist you with best suited solution.

regards, awaiting. vikram