• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

0ffline p@ssw0rd Generator

 
Ranch Hand
Posts: 178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

This is the setup. You have a regular web application. To do a certain tra.nsaction in that application, you would need a extra p@ssw0rd. This p@ssw0rd can either be sent through email or the application's m0bile app version can generate it for you. The latter meaning it can generate the password even if it is 0ffline. Is it possible to do this? the only thing i can think of it have a predefined hard coded set of passw0rds in both the m0bile app version and the web app but the this kind of thing is very vulnerable and has a high security risk.
 
Rancher
Posts: 43081
77
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hardcoded passwords seem like a bad idea. Why does this need to work if the device is offline?

Read up on how the Google Authenticator app works; it sounds like that is similar to what you're asking. (I'm not actually sure if Authenticator needs to be online, but its documentation is sure to talk about that.) Maybe your web app can even leverage Authenticator.
 
Rancher
Posts: 2759
32
Eclipse IDE Spring Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is it a password? or a token that will be used one time and then discarded? What are you really trying to do here? You want to authenticate the user? Why can't you use standard basic authentication over https?
 
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:Read up on how the Google Authenticator app works; it sounds like that is similar to what you're asking. (I'm not actually sure if Authenticator needs to be online, but its documentation is sure to talk about that.) Maybe your web app can even leverage Authenticator.


I've used Authenticator for two factor on my iPad when my iPad din't have a network connection. Also Authenticator doesn't work if your iPad time is horribly wrong which shows that number is being determine based on the time as one of the factors. (rather than requesting it from google each time.)

Andrea: The token ("extra password") is the second part of two factor authentication. The mobile app generating makes sense. It is a "thing you have." You could roll your own. Have a unique number generated when the user first sets up the mobile app. Then use that number and other factors like the time to generate a token value that is only valid for a short time. As long as your server knows that app's number and the algorithm, it can check the token is right. Another alternative is to use a set of randomly generated values that the mobile app stores and your server knows about. Google two factor also has that. I have a bunch stored in case my iPad breaks and something happens to my phone at the same time. Horrible luck I know, but I'd certainly want to be able to get into my email if that happened!
 
Andres Delrotti
Ranch Hand
Posts: 178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
^^
Jeanne: so how would the main app synch their algorithm with the algorithm in the mobile app for the main app to recognize the password as valid? the only way I can see this is passwords computed based on current time. the thing is, this is still vulnerable and could easily be hacked. Can google generate the extra password even if their mobile app is offline?
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic