Silverlight application authenticate with WCF without IIS

Question

I've been struggling with this for a few days, and I hope someone can suggest some solutions.

I have a self-hosted WCF service, the main interface to this service will be a Silverlight application that is hosted in a non-IIS, potentially shared, environment.

I'm aware of the TransportWithMessageCredential and a custom authentication validator. The only requirement of this seems to be that the host has HTTPS and a valid SSL certificate. However, there are certain enviroments the product will be operating in where they don't wan't the hassle of paying for and maintaining a certificate, or the shared environment doesn't allow SSL.

The easy answer would be to tell them to find a new host/admin, but I've been asked to see if there are any other fesible authentication mechanisms.

Any suggestions?

Thanks

Answer 1

Without SSL there really isn't any way for you to secure the users credentials "across the wire". You "could" do some encryption in the Silverlight app, but this really amounts to obfuscation vs. "real" security.

The only option that I can think of in this scenario would be moderately secure would be a 3 factor solution such as giving all the users SecureID key fobs.