Re: suggestions for smart card or biometric web authentication?
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 30 Dec 2005 14:06:57 -0800
Hi,
hope this is helpful :)
generally there are two choices - certificate based or key token based (e.g. RSA SecurID)
in first place such form of custom authentication takes place in IIS -for certificates this is part of the SSL handshake, IIRC RSA is split into an ISAPI filter and a .NET library (Joe has more info on that)
If you choose certificates -the physical storage location does not matter - the certificate could be deployed to the clients machine or a smart card.
These custom mechanism can be used instead or in addition to application authentication logic like forms authentication.
The next question is - which client scenarios do you want to enable -
if you require certs then the client will not be able to use public terminals - which may be exactly what you want
RSA SecurID generates one-time passwords - so even if you use a public terminal that has a keylogger installed - the logged password is useless
For the certificates based approach you don't need any special hardware - any Windows supported smart card reader will do and IIS includes all functionality out of the box to enabled client cert authentication on the server side.
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com
Anyone have suggestions for biometric or smart card or key fob or [whatever else] authentication of a future public facing website? For example, a customer could do something to authenticate themselves and the computer passes some data in the background of their browser session so a user can be authenticated better than the typical "username/password" fields? We'd use ASP.NET 2.0 on the server side. I see a few miscellaneous tools in a google search but nothing is jumping out at me. For example, one is not really .NET compatible but you could work around that. Not great. We also need something affordable. Considering that online banking sites are exploring better options to prevent spyware from grabbing usernames/passwords, I was hoping someone in this group might have done some research into this already and have some concrete thoughts or suggestions.
User Group Etiquette: Please don't be the first to reply to this post unless you have something truly helpful to add, else others will think I've already been helped and not read the post.
.
- Prev by Date: Re: strong name exception on SecurityAction.Demand, works fine for LinkDemand
- Next by Date: Some Advice on Writing a customer Membership Provider
- Previous by thread: strong name exception on SecurityAction.Demand, works fine for LinkDemand
- Next by thread: Some Advice on Writing a customer Membership Provider
- Index(es):
Relevant Pages
|
|
