File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

0ffline p@ssw0rd Generator

 
Andres Delrotti
Ranch Hand
Posts: 170
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

This is the setup. You have a regular web application. To do a certain tra.nsaction in that application, you would need a extra p@ssw0rd. This p@ssw0rd can either be sent through email or the application's m0bile app version can generate it for you. The latter meaning it can generate the password even if it is 0ffline. Is it possible to do this? the only thing i can think of it have a predefined hard coded set of passw0rds in both the m0bile app version and the web app but the this kind of thing is very vulnerable and has a high security risk.
 
Ulf Dittmer
Rancher
Pie
Posts: 42966
73
  • 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hardcoded passwords seem like a bad idea. Why does this need to work if the device is offline?

Read up on how the Google Authenticator app works; it sounds like that is similar to what you're asking. (I'm not actually sure if Authenticator needs to be online, but its documentation is sure to talk about that.) Maybe your web app can even leverage Authenticator.
 
Jayesh A Lalwani
Rancher
Pie
Posts: 2756
32
Eclipse IDE Spring Tomcat Server
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is it a password? or a token that will be used one time and then discarded? What are you really trying to do here? You want to authenticate the user? Why can't you use standard basic authentication over https?
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 33694
316
Eclipse IDE Java VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:Read up on how the Google Authenticator app works; it sounds like that is similar to what you're asking. (I'm not actually sure if Authenticator needs to be online, but its documentation is sure to talk about that.) Maybe your web app can even leverage Authenticator.

I've used Authenticator for two factor on my iPad when my iPad din't have a network connection. Also Authenticator doesn't work if your iPad time is horribly wrong which shows that number is being determine based on the time as one of the factors. (rather than requesting it from google each time.)

Andrea: The token ("extra password") is the second part of two factor authentication. The mobile app generating makes sense. It is a "thing you have." You could roll your own. Have a unique number generated when the user first sets up the mobile app. Then use that number and other factors like the time to generate a token value that is only valid for a short time. As long as your server knows that app's number and the algorithm, it can check the token is right. Another alternative is to use a set of randomly generated values that the mobile app stores and your server knows about. Google two factor also has that. I have a bunch stored in case my iPad breaks and something happens to my phone at the same time. Horrible luck I know, but I'd certainly want to be able to get into my email if that happened!
 
Andres Delrotti
Ranch Hand
Posts: 170
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
^^
Jeanne: so how would the main app synch their algorithm with the algorithm in the mobile app for the main app to recognize the password as valid? the only way I can see this is passwords computed based on current time. the thing is, this is still vulnerable and could easily be hacked. Can google generate the extra password even if their mobile app is offline?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic