tags:

views:

380

answers:

5
Q: 

How do I set up one time password authentication?

I have a home network which I access remotely quite a bit. But I'm worried about security. While I do have strong passwords, I'm worried that someone will acquire my password and use it to gain access.

I heard about "one time passwords" and even got to use them at my university. We'd just press a button on a device (or run an application on a phone) and get a generated password that would work for the next minute or so.

  • How can I set something like that up?
  • Are there systems that are easy to use and set up?
  • Has anyone played around with an SDK of one of these systems?
  • Where can I get a starter kit from?

EDIT: I'm running a mixed Linux and Windows network, and I'm vaguely hoping to use this for authenticating on both operating systems. (No, there's no domain controller, but I can set one up using Samba, I suppose.)

A: 

One approach could be as follows:-

U'll need to make a program which will generate a password which will only be accepted by ur home system for a specific time-frame.

For ex. When you run the program the output will valid be for a specific time duration and will be accepted by your home security system as the system will also generate the same output while matching the hash, the trick is to get the same hash at both the places.

I guess this will need more brainstorming!!!!

renegadeMind  2009-02-12 06:11:41
+1  A: 

On Linux it's called S/Key: here

Not a button gizmo but you seed it and print off a list of one-time passwords to carry around with you. To make it work with a mixed env you'd need to get it working on your Windows box then get the Linux box to auth from that or (easier) get it working on Linux then link it to Samba so Windows can auth off it.

Google is your friend.

Adam Hawes  2009-02-12 06:25:03
A: 

As an addendum to renegadeMind's post one way to do this would be to have a program on both ends that generates a sequence of random numbers. A property of Pseudo-random number generators (PRNGs) is that if you start them with the same seed, they will continue to generate the same sequence of random numbers. So depending on your experience (or availability of technology) you could set your network up to generate a new password every x minutes. Then you could carry around a piece of software that would run on a phone or other embedded hardware that calculates what step in the sequence the PRNG is up to and then list the current password for you.

Having said that the security of your system would be limited to the seed you choose and the time you choose that each key is valid for.

In addition to this there is probably a software solution that will do this for you. IMHO it's better to take the existing implementation then reinventing the wheel.

Edit: Wikipedia has a good article here. The part on specific OTP technologies will probably be the most relevant.

Good luck though!

wiki article on PRNG

mdec  2009-02-12 06:32:52
yep, thats one way of doing it!
renegadeMind  2009-02-12 07:31:13
+1  A: 

S/Key is fine for a low-cost OTP implementation. If you're really worried about it, though, then worry also about your sessions being hijacked after they're initiated. In which case you might consider an SSH tunnel to encrypt your traffic. SSH also lends itself better to tunneling other applications through it once you set up your access. Finally, it you don't have an easy way to carry around an SSH client with you (or don't trust other people's SSH clients), there are a few web-based SSH clients that you could offer from your own server -- so it's under your control but available from any browser.

Liudvikas Bukys  2009-02-12 18:34:13
A: 

The first thing you need to decide is what authentication protocol will be your standard. I recommend Radius, especially for two-factor authentication in the enterprise. Radius is supported by all the major VPN & networking providers as well as all the major 2FA providers.

Then, consider the services you want to protect. For linux, this usually means PAM. Luckily, adding 2FA to linux via pam is pretty painless: http://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to/. For windows services, you will want to route them through ISA or the VPN.

You can configure all your radius requests to go through AD using the MS radius plugin IAS/NPS. http://www.networkworld.com/news/2010/050710-two-factor-authentication-through-windows-server.html?source=nww_rss

Finally, when choosing your 2FA solution, just make sure they support radius.

As for SDKs, that is a per-vendor situation. Here's a link to ours: http://www.wikidsystems.com/downloads/network-clients

hth, nick

nowen  2010-07-22 15:08:51

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication