I have developed a two-factor authentication platform for a web app which I'm involved in, and I've written it as an API.

Was wondering if anyone here has ever needed/used 2FA in a web app, and wants to stick their two penny's worth in?

I want to release a BETA if anyone's interested in playing with it?

Reply or get in touch with any suggestions/flames/interest.

An API to what though??

Or are you expecting that people are going to use your server and database for their authentication?

OK the idea is that you validate the username & password in whatever way you see fit - however before "logging in" the user, you create a transaction with my API - it sends the user a Token, and your app directs them to a secure page on my server requesting part of that token - My API validates that they passed this challenge successfully (proving that they are in posession of the token) and passes them to a URL of your choosing.
Your App can then query my API to check whether they passed or failed the challenge to decide whether or not to log them in.

If you've ever implemented the PayPal API you will find the concept of my Auth API very similar.
It uses a combination of public and private keys (the public ones last only for the duration of the transaction) and the private ones are only sent between your App server and mine via SSL.

I'd love to hear everyone's thoughts

The question still stands this being the WEB DESIGN FORUM and NOT a specific CODING forum!!!!

WHO is going to HOST the database the users are authenticating against.

Saying API is fine BUT it is an API to WHAT or WHERE

An API for paypal?
An API for Ebay?
An API to use the Webmaster-talk database?

OR????????

The question still stands this being the WEB DESIGN FORUM and NOT a specific CODING forum!!!!

Sorry Chris, I may very well have posted this in the wrong place - I put it in "Web Design" thinking the design of web applications, not the actual graphical design but their functional design as it doesn't relate to how you code it specifically.



WHO is going to HOST the database the users are authenticating against.
The database which houses the users' personal information, and login credentials is up to the developer - i.e. hosted by them somehow (use an existing login system). My database only holds the tokens that are sent, for their lifetime (typically 2 minutes) so to answer this question - I host the database which authenticates the second factor - the One-time-password - the developer/service provider of the app hosts the rest of the login system as they normally would and I have no access to this.

Saying API is fine BUT it is an API to WHAT or WHERE
An API to a system which generates and verifies one-time-passwords, without disclosing the password to the application using it or requiring any of the user's other security credentials.

An API for paypal?
An API for Ebay?
An API to use the Webmaster-talk database?
I would be delighted if any of these sites wanted to use the API... but its not designed specifically for any site.

Now there is something that can be considered contructively. The vast majority of people reading won't get what your topic was actually about and would has skipped over it completely

So the API is to your token generation system.
What server side code does it need (if any) or does it provide HTTP/HTTPS request/response as "entry points" and could a developer/programmer write their own routines as we can with PayPal or Amazon APIs.
Alternatively are you going to write "classes" for the "popular" languages/frameworks?

Yes the API works with HTTP requests

1. Your app makes an HTTP GET request to a secure page, sending your private key, the user's (registered) email address and your "destination" URL.

2. My App responds with a transaction ID, and transparently sends the user their token (8 character alphanumeric code) by SMS (having cross-referenced the email address with it's corresponding registered Mobile Number).

3. Given this transaction ID, your app sends the user to a secure page with this transaction ID as a parameter. The secure page will request a random section of the token to reduce the risk of keystroke logging attacks and validate this.

4. Given success or 3 successive failures of this challenge, my secure page will then forward the user to your "destination" URL. Your destination URL will then check with the API whether the user successfully authenticated themselves.

Presently there are only 2 API calls - initiate transaction (returns the transaction ID and sends the user a token), and check transaction (which verifies if they completed the transaction successfully).

I plan to expand this, and provide sample classes for various languages and further features such as the ability to add registered users via the API etc...

Sounds pretty good and with SMS capabilities gives an idea for development.

Maybe you could extend the system to handle push downloads for mobile apps, music, ringtones etc as a "value added" upgrade/upsell.

Also possibilities are there for online ticket sales etc for smaller operators and venues, where the fees of TicketMaster and the like make it prohibitive.

A website takes the booking and payment, a code is then sent to the buyers mobile which they then present at the venue.

Only thing is I can't decide between the Coding forum or Business & Commerce

Sleep is what I need first!!

Many many possibilities - and thanks for your input - you've obviously given this some thought tonight!

Best thing will be to see it in operation and I will have a live demo for everyone to look at very very soon - just sorting out the secure server etc...

Main thing I'd like to hear is if anyone has an actual need for 2-factor-authentication in web-based applications?

I have used 2FA in software virtualisation and VPN setup - and I have just developed a web app which uses it, but I wonder just how much interest there is out there for such a system?

Sorry but it doesn't sound like it would help development at all. E.g. it would just make real world apps run slower, and add an unnecessary point of failure.

I'd suggest taking your new found skills and using them to build some sort of API accessed service, something that will add value, e.g. google charts, file storage, etc

Gordonrp,

Thanks for your input. When you say an unnecessary point of failure, do you mean the concept of two-factor-authentication, or my implementation of it?

My service is designed to be a plug-and-play software alternative to the very expensive hardware-based 2FA systems that are out there - and designed to be quite separate from your existing user authentication system, thereby not exposing it to any security risks (unlike other similar services which physically change the user's password).

These aren't new-found skills, I'm a professional developer, this is a new system which I have designed as a by-product of another project and I'm looking to know how much outside interest there would be in making it public.

At a guess Gordon is considering it as a continuous communication stream where the app would be communicating with the authentication servers on each access by the client rather than a one shot request to get the authentication code then retain that and only on the code reaching its expiry is a new code and TTL is requested.
My online banking does a similar thing on the session timing out, I have to re-authenticate with PIN and password but not actually login again with my username.
O2 will verify some operations by sending an authentication code to your registered mobile phone which you have to type into a form before the action is applied to your online account.
Once you have done this you can carry on making changes until you logout or the verification timeout (5 or 6 mins) occurs.
It gives an extra layer of security where you maybe using a publicly available machine (Internet Cafe, library etc) and do not log off cleanly.

This is the kind of thing that 2FA is used for not for your average forum login.

Quote:

Originally Posted by HandCoder

These aren't new-found skills, I'm a professional developer, this is a new system which I have designed as a by-product of another project and I'm looking to know how much outside interest there would be in making it public.

Apologies, my comments were typed in haste, and choice of words poor. I simply meant that I would use the code base for a different product.

I understand the uses of the product, but I believe that it involves a market with an extremely high barrier of entry.

You will have a hard time, as a (I assume) small company pitching such systems to banks etc. Banks deal with Accenture, IBM, etc.

Sounds like you've built something cool, I just think the risk/reward ratio is not worth pursuing.

Exactly chrishirst

The application I'm using it in handles people's medical information, hence the need for this extra layer of protection - and the one-time-password generated by the system is used when the user logs in. It is used only as a means of preventing someone who knows the login details (such as staff members) from being able to access the system when not in possession of the physical object (mobile phone) which is also required to authenticate them.

Potential uses:

- Protecting access to your customer database
- Protecting your in-house accounting or HR system
- Protecting your admin access to a website

My bank also uses 2FA to access my account online, and I used to work for a company which protected their web-based virtualised CRM software with 2FA.

The key points are that my system can be integrated easily (even without me supplying pre-written code samples), it costs next-to-nothing and that it is VERY VERY secure.

I'm starting to sound like I'm selling it now, and that's not my intention here - right now I'd love to hear if anyone has a suggested use or can think of any useful features that might make this into something that is usable as a security tool for Web Developers to integrate.

gordonrp

Your point about the barriers to entry is the exact reason I wrote the system.

I wanted to make a 2FA system that could be implemented by me - because there wasn't one out there. I need security, but I don't have the budget for RSA or similar systems.

This is a very simple and VERY low-cost solution for a web developer to build into their web applications to improve security for about the price of a pizza!