wood burning stoves 2.0*
The moose likes Security and the fly likes Second Factor Authentication Solution Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Second Factor Authentication Solution" Watch "Second Factor Authentication Solution" New topic
Author

Second Factor Authentication Solution

James Ellis
Ranch Hand

Joined: Oct 14, 2004
Posts: 205
Can anyone recommend a good second factor authentication solution? What I mean is, in addition to username/password - the user would also be required to enter in a generated pin off of a hard token (keyfob, whatever you call it) that they carry with them.

I am looking for something that can be easily integrated into Tomcat/J2EE. I know RSA SecurID has a component that works with Apache 2.0 but I would like one that integrates with Java so I can "control" it better.

Any recommendations?
Set Cruz
Greenhorn

Joined: Jan 31, 2008
Posts: 26
I suggest PKI


SCJP, Oracle PL/SQL Developer
James Ellis
Ranch Hand

Joined: Oct 14, 2004
Posts: 205
Isn't that kind of broad? I mean technically just using SSL is using PKI (each client's browser grabs the server's public key which is signed by the CA and encrypts an SSL session).

If you mean "I would suggest SSL", then this doesn't provide a second factor authentication.

Could you be more specific?
K Aditi
Ranch Hand

Joined: Mar 17, 2008
Posts: 89
Well there are so many techniques that can qualify for second factor authentication.Broadly speaking if cost is not a problem then you can go for biometrics, smartcard etc. which can be easily plugged with the help of JAAS.


Aditi
Set Cruz
Greenhorn

Joined: Jan 31, 2008
Posts: 26
More specifically pkcs11/2-way-SSL
cheers
James Ellis
Ranch Hand

Joined: Oct 14, 2004
Posts: 205
More specifically pkcs11/2-way-SSL
cheers


OK so I think this means issuing a client certificate that users will import into their browser? Is that right? Please tell me if the following is way off:

1) I create a CA (using openSSL)
2) Create a client certificate using openSSL and sign it with my own little CA from step 1.
3) Give the client the certificate which they import into their browser.
4) Add the CA I created in step 1 to my "trustStore" or whatever it is called on Apache.

If the above is correct, will every certificate I issue have it's own serial number or Distinguished Name or both?

How do I revoke a client who claims to have lost their client certificate or who I no longer want accessing my server?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Second Factor Authentication Solution
 
Similar Threads
Handle situation where there can be Potential increase in the method parameters.
JLabel and text
protect application from keystroke recorder apps which can record passwords/public key?
Nested Loops
Mutual Authentication Possible?