Re: Sign On Authentication
From: Volker Birk (bumens_at_dingens.org)
Date: 16 Aug 2005 06:26:53 +0200
In comp.security.misc Barry Margolin <email@example.com> wrote:
> > Is there a way to automatically authenticate a user, not the user's
> > computer, when he logs in to a website? The reason for this is to validate
> > that a multiple choice test that is taken was performed by Bob X and not by
> > Charles Y in a distance learning application.
> Isn't this normally done with a username and password prompt? It can be
> improved with token-based authentication like SecurID or Defender.
No, it isn't.
Every user, who has the security token, can log in.
Passwords (and any other security token) are only working, if the user
who owns the password has no interest to share it.
In such a test, i.e. the contestant could let anybody "help" him by using
a VNC server on her/his machine.
-- "Almighty Father, who wilt hear the prayer of those that love Thee, we pray Thee to be with those who brave heights of Thy heaven and who carry the battle to our enemies. Guard and protect them, we pray Thee, as they fly the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.