Can anyone recommend a good second factor authentication solution? What I mean is, in addition to username/password - the user would also be required to enter in a generated pin off of a hard token (keyfob, whatever you call it) that they carry with them.
I am looking for something that can be easily integrated into Tomcat/J2EE. I know RSA SecurID has a component that works with Apache 2.0 but I would like one that integrates with Java so I can "control" it better.
Well there are so many techniques that can qualify for second factor authentication.Broadly speaking if cost is not a problem then you can go for biometrics, smartcard etc. which can be easily plugged with the help of JAAS.
OK so I think this means issuing a client certificate that users will import into their browser? Is that right? Please tell me if the following is way off:
1) I create a CA (using openSSL) 2) Create a client certificate using openSSL and sign it with my own little CA from step 1. 3) Give the client the certificate which they import into their browser. 4) Add the CA I created in step 1 to my "trustStore" or whatever it is called on Apache.
If the above is correct, will every certificate I issue have it's own serial number or Distinguished Name or both?
How do I revoke a client who claims to have lost their client certificate or who I no longer want accessing my server?