Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 24 Mar 2013 01:21:12 -0700
From:      Doug Hardie <>
To:        Mehmet Erol Sanliturk <>
Cc:        " List" <>
Subject:   Re: Client Authentication
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On 23 March 2013, at 22:59, Mehmet Erol Sanliturk =
<> wrote:

> The following steps may be another idea :
> Assume that you supply to your users a small login program prepared =
for them specifically ( since you are using SSH )  :
> Compile that program for each user with a special identifier for =
him/her  and ship this program to your user and require that the login =
will be performed by this program  . This program will send a very long =
code to your system with user password which is only known to you and to =
your user .  Since external users will not know this code , they will =
not be able to login into their accounts by using only password .
> This will also easily identify fake login trials : It is very obvious =
that to estimate a very long code will require a large number of tries : =
If code fails , it means that login trial is from a fake user .
> If password fails , it may be allowed a fixed number of trials ( The =
banks are allowing only TWO failed passwords , on third , a new attempt =
can be made after 24 hours , in Turkey ) .
> This program may also additionally send computer signature to your =
system which is previously send to you on subscription computed by a =
program prepared by you .
> If the user changes  / or uses a different computer , he/she should =
supply a signature of the computer . =20
> Here , important point is that , always you should verify that you are =
communicating the real user , not a faked user in behalf of the real =
user .
> For the stolen program/codes , prepare a new program and ship to the =
user .

Thats an interesting approach but becomes difficult to use when =
traveling as you have no idea what computer you will be able to use =
today until you get to it.  Then you might have only a few minutes =
access to it before moving on.

> Another idea may be the following :
> Assume the user computer is NOT captured by a criminal bandit .
> On subscription , send to the user a square bar code printed on a card =
like credit card having a very long code specifically prepared for the =
user .
> On login , the user will show this card to the camera of the computer =
and will be transmitted to your system . In your system , it will be =
decoded , and it will be used to identify the user with his/her password =
> If this application is used , it may not be necessary to send the =
users a special login program prepared for each of them .

This idea shows a lot of promise.  I have to figure out how to tie it =
into mail, web etc.  There is libqrencode for creating the QR images.  I =
am downloading it now. =20

-- Doug

Want to link to this message? Use this URL: <>