Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Second Factor Authentication Solution

 
James Ellis
Ranch Hand
Posts: 205
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can anyone recommend a good second factor authentication solution? What I mean is, in addition to username/password - the user would also be required to enter in a generated pin off of a hard token (keyfob, whatever you call it) that they carry with them.

I am looking for something that can be easily integrated into Tomcat/J2EE. I know RSA SecurID has a component that works with Apache 2.0 but I would like one that integrates with Java so I can "control" it better.

Any recommendations?
 
Set Cruz
Greenhorn
Posts: 26
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I suggest PKI
 
James Ellis
Ranch Hand
Posts: 205
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Isn't that kind of broad? I mean technically just using SSL is using PKI (each client's browser grabs the server's public key which is signed by the CA and encrypts an SSL session).

If you mean "I would suggest SSL", then this doesn't provide a second factor authentication.

Could you be more specific?
 
K Aditi
Ranch Hand
Posts: 89
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well there are so many techniques that can qualify for second factor authentication.Broadly speaking if cost is not a problem then you can go for biometrics, smartcard etc. which can be easily plugged with the help of JAAS.
 
Set Cruz
Greenhorn
Posts: 26
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
More specifically pkcs11/2-way-SSL
cheers
 
James Ellis
Ranch Hand
Posts: 205
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
More specifically pkcs11/2-way-SSL
cheers


OK so I think this means issuing a client certificate that users will import into their browser? Is that right? Please tell me if the following is way off:

1) I create a CA (using openSSL)
2) Create a client certificate using openSSL and sign it with my own little CA from step 1.
3) Give the client the certificate which they import into their browser.
4) Add the CA I created in step 1 to my "trustStore" or whatever it is called on Apache.

If the above is correct, will every certificate I issue have it's own serial number or Distinguished Name or both?

How do I revoke a client who claims to have lost their client certificate or who I no longer want accessing my server?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic