views:

54

answers:

3

I have a webapp that requires security beyond that of a normal web application. When any user visits the domain name, they are presented with two text fields, a username field, and a password field. If they enter a valid user/pass, they get access to the web application. Standard stuff.

However, I'm looking for additional security beyond this standard setup. Ideally it would be a software solution, but I'm also open for hardware solution as well (hardware=key fobs), or even procedural changes (one time use passwords on a password pad for example).

The webapp is unique in that we know all our users ahead of time, and we create their username and password and give it to them. In this sense, we can be assured that the username and password are "strong".

However, our clients have requested additional security beyond this. Anyone have any ideas on how to add another layer of complexity to the security?

+8  A: 

Our company used PhoneFactor and we absolutely love it.

We've also used Safeword Tokens in the past.

However, it's notthe only game in the book. I'd start by googling "Two factor authentication"

The OWASP guide to authentication is another good place to start. Actually, OWASP is the first place I'd look for ANY web security question.

David Stratton
+1. Interesting: haven't seen that one
Mitch Wheat
Davy8
+1  A: 

Another option for additional security is to use a piece of physical 'evidence' such as a Smart Card: Protect Your Data Via Managed Code And The Windows Vista Smart Card APIs

Mitch Wheat
A: 

There are lots of different areas that web apps can have their security improved on. Before getting started you need to determine what, exactly, your problem areas might be and what you want to focus on.

You might start this process by having a third party do Penetration Testing (PEN Testing) on your application. This should give a quick hit list of things you can take care of and, when you have a passing grade, is something to use in your sales literature.

Next you'll want to talk to your customers to understand what they mean by "more secure". Is it simply two factor authentication like David and Mitch mentioned or are they more concerned about things such as data in motion (ARP Poisoning, SSL, and the like), data at rest (everything from hard drive encryption to database encryption), authorization, impersonation (cross site and replay), personnel (ongoing background checks on who has access to the machines), etc..

The concept of security covers a lot of ground.

Chris Lively