Create and use OneTime Passwords

Background

Probably you noticed that a lot of websites and applications start to use some form of Two-Factor Authentication.

In enterprises, this has been used for years to allow the users to securely authenticate for using VPN or web-based published corporate applications.

This relied on ‘Something you know’ and ‘Something you have’.

The Something you Know was typically a password and maybe on top of that a PIN code.

The Something you Have was typically a hardware token that displays a different numeric code every minute, maybe augmented with a computer certificate.

Use in our Applications / WebServices

While having to use a password is a basic requirement to authenticate the user, I think it has a lot of advantages to force the use of a Onetime Password as well.

This not only to authenticate the user , but also to make sure that when your WebService needs to do something, it has an additional check to make sure that this request was asked by the user or application on behalf of the user and is within an appropriate timeframe. (This should protect a bit against somebody capturing your web-request and replaying it)

This can also be used to make sure that when you receive a request back from the WebService, that you have a bit more guarantee that it actually comes from that Webservice.

Create Shared Project for OTP Handling

Advertisements

Post a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s