Re: Sign On Authentication

From: Barry Margolin (barmar_at_alum.mit.edu)
Date: 08/16/05

• Next message: dkelly_at_eoncc.com: "Re: Sign On Authentication"
• Previous message: Volker Birk: "Re: Sign On Authentication"
• In reply to: Volker Birk: "Re: Sign On Authentication"
• Next in thread: Volker Birk: "Re: Sign On Authentication"
• Reply: Volker Birk: "Re: Sign On Authentication"
• Reply: Ari Silversteinn: "Re: Sign On Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 16 Aug 2005 02:55:43 -0400

In article <43016b0d@news.uni-ulm.de>, Volker Birk <bumens@dingens.org>
wrote:

> In comp.security.misc Barry Margolin <barmar@alum.mit.edu> wrote:
> > > Is there a way to automatically authenticate a user, not the user's
> > > computer, when he logs in to a website? The reason for this is to
> > > validate
> > > that a multiple choice test that is taken was performed by Bob X and not
> > > by
> > > Charles Y in a distance learning application.
> > Isn't this normally done with a username and password prompt? It can be
> > improved with token-based authentication like SecurID or Defender.
>
> No, it isn't.
>
> Every user, who has the security token, can log in.
>
> Passwords (and any other security token) are only working, if the user
> who owns the password has no interest to share it.

OK, if you don't trust the users, then I don't think there's any way to
accomplish your goal with the stated restrictions. Complete
identification and authentication requires three factors:

1) Who you are
2) What you have
3) What you know

A token implements #2, a password implements #3, but both of these can
be shared. To implement #1, you need to use biometrics, which requires
special hardware. But you specifically said that you can't require
hardware like a fingerprint reader.

-- 
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

• Next message: dkelly_at_eoncc.com: "Re: Sign On Authentication"
• Previous message: Volker Birk: "Re: Sign On Authentication"
• In reply to: Volker Birk: "Re: Sign On Authentication"
• Next in thread: Volker Birk: "Re: Sign On Authentication"
• Reply: Volker Birk: "Re: Sign On Authentication"
• Reply: Ari Silversteinn: "Re: Sign On Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Reauthenticate SSL password ... browser and authenticate again. ... browser I got the username and password prompt. ... until I hit "cancel", at which point I was given the message "You have ... (comp.infosystems.www.authoring.cgi) Re: Not prompted for admin user and pwd as Regular user when trying \domaincontrollerc$ anymore ... > I'd prefer to get the username and password prompt when they try to ... > Is there a certain permission setting or combo of settings that will ... > make this work for domain controllers? ... (microsoft.public.windows.server.active_directory) Re: OWA has suddenly stopped working ... Ensure that your username and password are correct, ... OWA has also suddenly stopped working for me. ... I do not receive the password prompt, ... (microsoft.public.windows.server.sbs) Re: Where to store shared data files? ... restricted shell that offered only a limited number of possible operations. ... Make the username sf for shared files, ... then asdf at the password prompt. ... (comp.os.linux.misc) Re: setting uafalternate 1 doesnot work ... The system will display a password prompt, ... after hitting return after entering system as the username. ... (comp.os.vms)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint