-
Nov 7th, 2019, 12:50 PM
#1
Thread Starter
Lively Member
two factor authentication
Hi.
I have to implement two-factor authentication in my vb6 application. Can it be done? Any suggestions are welcome.
Thanks
-
Nov 7th, 2019, 12:57 PM
#2
Hyperactive Member
Re: two factor authentication
What type of 2FA are you doing? SMS? Security Token? Authy? etc
-
Nov 8th, 2019, 05:56 AM
#3
Thread Starter
Lively Member
Re: two factor authentication
Thanks for your answer.
I have a difficult scenario. My desktop application works in a closed network, ie not connected to the internet. Maybe I could use users' cell phones so I can imagine using them with text messages.
Thanks
-
Nov 8th, 2019, 06:47 AM
#4
Re: two factor authentication
Please remember next time...elections matter!
-
Nov 8th, 2019, 08:01 AM
#5
Re: two factor authentication
Originally Posted by oldVBDev
Thanks for your answer.
I have a difficult scenario. My desktop application works in a closed network, ie not connected to the internet. Maybe I could use users' cell phones so I can imagine using them with text messages.
Thanks
Well, if it's not connected to the outside world, isn't that going to make things a bit more difficult for 2FA? How are you going to get the text message out? I don't think that's going to work. You could probably try Google Authenticator and OAuth. Once the server knows the login and the current time, can run the algorithim that calculates what the GA token should be, the user then opens their GA app on their phone and enters the code that's displayed there... it should match what the server/app calculated.
-tg
-
Nov 8th, 2019, 09:43 AM
#6
Re: two factor authentication
Originally Posted by oldVBDev
Thanks for your answer.
I have a difficult scenario. My desktop application works in a closed network, ie not connected to the internet. Maybe I could use users' cell phones so I can imagine using them with text messages.
Thanks
If you application is only running in a closed network will adding two factor authentication make much difference? For anyone to log on they have already gained physical access to your network and obtained a valid username and password.
-
Nov 11th, 2019, 11:55 AM
#7
Thread Starter
Lively Member
Re: two factor authentication
Thank you all for your reply.
Techgnome yours are good suggestions. I will see if they can be prosecuted.
PlausiblyDamp.
What you say is true.
However, physical access to the PC running my application is very limited.
I hypothesize some remote attempt that I cannot block.
-
Nov 11th, 2019, 10:50 PM
#8
Re: two factor authentication
Without Internet access your options are probably things like biometric devices (fingerprint scanner, camera and image processing, etc.) or "security token" products. The latter range from smartcard and USB "keys" to disconnected keyfob units that present a long number to type in. The "type in" ones usually require an accurate clock if the PCs are not connected to the Internet, and some USB "keys" may as well.
Phone texting, email, etc. almost always mean you need these PCs to have an Internet connection.
-
Nov 11th, 2019, 10:54 PM
#9
Re: two factor authentication
A home brew "el cheapo" option might be to create an encrypted "token string" that doesn't change. Place that on a USB flash drive.
Your program could look for USB flash drive devices and check their root directories for a given file containing the encrypted token. It could then use the Public Key for the encryption to extract the "token" and verify it.
This has weaknesses of course, but it is fairly cheap and easy.
-
Nov 12th, 2019, 02:40 AM
#10
Addicted Member
Re: two factor authentication
If you can connect to GSM network may be through a USB modem, you can send text messages via AT commands.
-
Nov 12th, 2019, 09:56 AM
#11
Thread Starter
Lively Member
Re: two factor authentication
I thank you all. They are all good ideas. I'll study them all, let's see if I take something good out.
-
Nov 12th, 2019, 10:05 AM
#12
Thread Starter
Lively Member
Re: two factor authentication
I'm thinking of the suggestion of "dilettant".
I could create an encrypted string which is generated with some PC data where my application runs.
Thus it cannot be carried on other PCs.
When installing the application it generated it and I copy it to the app folder and to the usb device.
When the user logs in, before comparing the string on the usb with the one in the application folder, I verify that it was generated on that pc.
What do you think about it?
Thanks
-
Nov 12th, 2019, 10:15 AM
#13
Re: two factor authentication
Who's your attacker? If the computer isn't connected to the Internet, it must be someone with a physical presence at the computer.
The computer requires users to login, so it must be someone that is authorized to log in to the computer but not authorized to use your application (yet still able to see and launch it), correct?
So if they are authorized to use the computer, what is stopping them from getting the secret file from the application folder? Is the environment so hostile that this is necessary?
-
Nov 12th, 2019, 11:45 AM
#14
Thread Starter
Lively Member
Re: two factor authentication
Hi jbpro
But the USB stick would keep it only authorized to launch the application.
No the environment is not so hostile, but the client asked me for an excess of precaution and since it is he who pays me I have to do so.
-
Nov 12th, 2019, 11:59 AM
#15
Re: two factor authentication
1) Did they add this requirement at the end? Or was it always a requirement?
2) If it was tacked on at the end, did they add more time and more money to the budget?
3) If neither of those things happened in #2, it is OK to say "no"... believe it or not, clients will ask for the most ridiculous things sometimes if they think they can get away with it for free. If they're not adding to the budget for this crazy add-on requirement (which is called scope creep by the way, and is a very real thing that happens all the time) ... then they'll keep doing it and keep doing it and keep doing it... It's perfectly fine to tell clients "no" on a requirement, and then to explain why. I've done it before... and not on just small projects, but on large multi-million dollar projects. Sometimes I can get them to understand reason and talk them out of it, sometimes I'm not. But as long as I tried ... and get the budget expanded...
-tg
-
Nov 12th, 2019, 12:19 PM
#16
Re: two factor authentication
Another option might be to install and use a badge/card reader for logging in either to Windows or for your application.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|