Date: Sun, 24 Mar 2013 01:21:12 -0700 From: Doug Hardie <bc979@lafn.org> To: Mehmet Erol Sanliturk <m.e.sanliturk@gmail.com> Cc: "freebsd-questions@freebsd.org List" <freebsd-questions@freebsd.org> Subject: Re: Client Authentication Message-ID: <15F2FFE1-C05D-4663-BCD6-58A893CA1C24@lafn.org> In-Reply-To: <CAOgwaMveiex1x6DGoufcJQKwv8EvcSv2wnu_UyqAK9rgXt7BVw@mail.gmail.com> References: <B2DC7342-9F1A-489A-94F0-49802B1E5DF6@lafn.org> <CAOgwaMvu%2BOC4PiPfNNwoj7aB%2B631Nt_=SwjFG9y89%2BavB6Mp9Q@mail.gmail.com> <8680FAB3-4943-4F91-935B-E11511C3FD4E@lafn.org> <CAOgwaMveiex1x6DGoufcJQKwv8EvcSv2wnu_UyqAK9rgXt7BVw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23 March 2013, at 22:59, Mehmet Erol Sanliturk = <m.e.sanliturk@gmail.com> wrote: > The following steps may be another idea : >=20 > Assume that you supply to your users a small login program prepared = for them specifically ( since you are using SSH ) : >=20 > Compile that program for each user with a special identifier for = him/her and ship this program to your user and require that the login = will be performed by this program . This program will send a very long = code to your system with user password which is only known to you and to = your user . Since external users will not know this code , they will = not be able to login into their accounts by using only password . >=20 > This will also easily identify fake login trials : It is very obvious = that to estimate a very long code will require a large number of tries : = If code fails , it means that login trial is from a fake user . > If password fails , it may be allowed a fixed number of trials ( The = banks are allowing only TWO failed passwords , on third , a new attempt = can be made after 24 hours , in Turkey ) . >=20 > This program may also additionally send computer signature to your = system which is previously send to you on subscription computed by a = program prepared by you . >=20 > If the user changes / or uses a different computer , he/she should = supply a signature of the computer . =20 >=20 > Here , important point is that , always you should verify that you are = communicating the real user , not a faked user in behalf of the real = user . >=20 > For the stolen program/codes , prepare a new program and ship to the = user . Thats an interesting approach but becomes difficult to use when = traveling as you have no idea what computer you will be able to use = today until you get to it. Then you might have only a few minutes = access to it before moving on. >=20 > Another idea may be the following : >=20 > Assume the user computer is NOT captured by a criminal bandit . >=20 > On subscription , send to the user a square bar code printed on a card = like credit card having a very long code specifically prepared for the = user . > On login , the user will show this card to the camera of the computer = and will be transmitted to your system . In your system , it will be = decoded , and it will be used to identify the user with his/her password = . >=20 > If this application is used , it may not be necessary to send the = users a special login program prepared for each of them . >=20 This idea shows a lot of promise. I have to figure out how to tie it = into mail, web etc. There is libqrencode for creating the QR images. I = am downloading it now. =20 -- Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15F2FFE1-C05D-4663-BCD6-58A893CA1C24>