This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
This is the setup. You have a regular web application. To do a certain tra.nsaction in that application, you would need a extra p@ssw0rd. This p@ssw0rd can either be sent through email or the application's m0bile app version can generate it for you. The latter meaning it can generate the password even if it is 0ffline. Is it possible to do this? the only thing i can think of it have a predefined hard coded set of passw0rds in both the m0bile app version and the web app but the this kind of thing is very vulnerable and has a high security risk.
Hardcoded passwords seem like a bad idea. Why does this need to work if the device is offline?
Read up on how the Google Authenticator app works; it sounds like that is similar to what you're asking. (I'm not actually sure if Authenticator needs to be online, but its documentation is sure to talk about that.) Maybe your web app can even leverage Authenticator.
Is it a password? or a token that will be used one time and then discarded? What are you really trying to do here? You want to authenticate the user? Why can't you use standard basic authentication over https?
Ulf Dittmer wrote:Read up on how the Google Authenticator app works; it sounds like that is similar to what you're asking. (I'm not actually sure if Authenticator needs to be online, but its documentation is sure to talk about that.) Maybe your web app can even leverage Authenticator.
I've used Authenticator for two factor on my iPad when my iPad din't have a network connection. Also Authenticator doesn't work if your iPad time is horribly wrong which shows that number is being determine based on the time as one of the factors. (rather than requesting it from google each time.)
Andrea: The token ("extra password") is the second part of two factor authentication. The mobile app generating makes sense. It is a "thing you have." You could roll your own. Have a unique number generated when the user first sets up the mobile app. Then use that number and other factors like the time to generate a token value that is only valid for a short time. As long as your server knows that app's number and the algorithm, it can check the token is right. Another alternative is to use a set of randomly generated values that the mobile app stores and your server knows about. Google two factor also has that. I have a bunch stored in case my iPad breaks and something happens to my phone at the same time. Horrible luck I know, but I'd certainly want to be able to get into my email if that happened!
Jeanne: so how would the main app synch their algorithm with the algorithm in the mobile app for the main app to recognize the password as valid? the only way I can see this is passwords computed based on current time. the thing is, this is still vulnerable and could easily be hacked. Can google generate the extra password even if their mobile app is offline?