|
-
December 26th, 2009, 07:07 PM
#1
I fully agree with MsM and would also recommend a single password sent via email, that requires a new password to be provided upon first login of the user.
Naturally, if the user responds informing you that they are not able to log in (so someone else logged in using the stolen password, and was then forced to change the password to something different) - at this point you could investigate any security breach. But until this happens, stress less.
CTO
no signature was attached to this email
-
December 27th, 2009, 03:17 PM
#2
Junior Member
Sounds fair enough. I'm not looking for same security as online banks, but I'm aiming close.
So what I have now is regular username/password login with a one time password sendt to the user on either phone or email. This is also required when making changes to the account eg. changing the password.
I've also looked at integrating YubiKey support (mine is on it's way from the store now) but I'm not sure if there is a security benefit replacing the one time passwords from email/sms with one from the YubiKey other than the danger of someone eavsdroping the email communication.
-
January 7th, 2010, 07:54 AM
#3
Junior Member
 Why not use Umikey?
 Originally Posted by xqus
Sounds fair enough. I'm not looking for same security as online banks, but I'm aiming close.
So what I have now is regular username/password login with a one time password sendt to the user on either phone or email. This is also required when making changes to the account eg. changing the password.
I've also looked at integrating YubiKey support (mine is on it's way from the store now) but I'm not sure if there is a security benefit replacing the one time passwords from email/sms with one from the YubiKey other than the danger of someone eavsdroping the email communication.
Just wondering why not support Umikeys first? Since it is robust and much more affordable to all.
I've been using Umikey on Mashedlife and it works like a dream. The auto-navigation and OTP generation work on both my German keyboard and English keyboard, and on Linux, Mac and PC. And the price is reasonable that I bought a bunch with ~ $5 each.
Thanks for inputs
-
January 8th, 2010, 05:47 PM
#4
Junior Member
Originally Posted by mannyer
Just wondering why not support Umikeys first? Since it is robust and much more affordable to all.
I've been using Umikey on Mashedlife and it works like a dream. The auto-navigation and OTP generation work on both my German keyboard and English keyboard, and on Linux, Mac and PC. And the price is reasonable that I bought a bunch with ~ $5 each.
Thanks for inputs
At the moment I have implemented support for Yubikey (http://yubico.com/products/yubikey/). It does not offer all the same functions as Umikey, but all you need to pay for is the hardware itself. Yubico provides a validation API that is free to use, and open source libraries to interact with the API. I used 10 minutes to fully integrate Yubikey support in my application.
The users also have an option to recieve a one time password in a GPG signed email. This email also contains information that will help protecting against man in the middle attacks (if the user is educated).
Similar Threads
-
By pwaring in forum Other Tutorials Forum
Replies: 60
Last Post: October 22nd, 2004, 09:15 PM
-
Replies: 1
Last Post: July 15th, 2002, 03:46 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote