Special

Introducing the “Welcome to Xojo” Bundle!

New to Xojo and looking for guidance? We've put together a terrific bundle to welcome you! Xojo Bundle

This bundle includes six back issues of the magazine -- all of year 21 in printed book and digital formats -- plus a one-year subscription (beginning with 22.1) so you'll be learning all about Xojo for the next year. It's the perfect way to get started programming with Xojo. And you save as much as $35 over the non-bundle price!

This offer is only available for a limited time as supplies are limited, so hurry today and order this special bundle before the offer goes away!

Article Preview


Buy Now

Issue 7.5

FEATURE

Two-factor Authentication

Implementing YubiKey for strong authentication of users in REALbasic

Issue: 7.5 (July/August 2009)
Author: Mattias Sandström
Author Bio: Mattias is the programming CEO of Tangix Design & Development, a Sweden-based company developing software solutions for the web and for the Windows platform.
Article Description: No description available.
Article Length (in bytes): 35,737
Starting Page Number: 20
Article Number: 7510
Resource File(s):

Download Icon 7510 project.zip Updated: 2009-07-01 13:05:55

Related Web Link(s):

http://api.yubico.com/wsapi/verify?otp=ccccccccenedrjgfbthjdekfrrchcrducrhcdrvvenvi&
http://www.yubico.com/developers/api/
http://www.einhugur.com

Excerpt of article text...

Looking up authentication in Cassell's Concise English Dictionary I find the definition "to establish the truth or credibility of". Being a programmer or computer user, the idea that pops up is a username (often your email-address) in combination with an arbitrary complex password (an average password is claimed to be 6.8 characters long, often the name of a pet or the license plate of your first car). Being somewhat security conscious (or paranoid as some could say), a password for me is something much stronger -- Cassell defines it as "a word by which to distinguish friends from strangers". Personally, I don't see how qwerty123 or passw0rd would fit those shoes. Anyway this is what we live with and have become accustomed to. Interviewing a couple of friends in a semi-scientific manner I find out that they use exactly three different passwords for their digital life; one weak and one strong, and finally one "in the middle". The criteria to define which online service needs which password is somewhat sketchy and there are several friends using some sort of password database software. Over the years we have learned to accept username and password as a daily thing in our digital life.

When passwords are not enough

Sometimes authenticating a user with a combination of username and password is not good enough. Typical situations are when the authentication is done in clear-text, such as HTTP over a public WiFi network, when the communication protocol does not support encryption or when the nature of the information to secure is such that security is crucial. In such situations the use of an OTP (One Time Password) is often employed. An OTP has the huge benefit over a username/password combination that it is not prone to a replay attack -- that is someone stealing your username/password combination while transmitted and then using it again. An OTP is only valid once and cannot be used again for authentication, and there is thus no point of writing it down, which is often a major security breach of many passwords.

To allow a system to use OTP for authentication requires something to generate the OTP in such a way that it is ensured to be one-time, thus preventing replay attacks. To be usable for authentication, the process of OTP generation must thus be both random and deterministic. Pseudo-randomness is often used together with a secret seed value known to the user and the server authenticating the user. When authenticating, the user and server perform the same pseudo-random operations on the seed value and if they get the same results, the authentication is successful.

Clearly there are some practical issues here, most notably how the user should store the seed value and perform the pseudo-random operation to create the OTF. Enter the wonderful world of Two-factor authentication.

...End of Excerpt. Please purchase the magazine to read the full article.