Results 1 to 16 of 16

Thread: two factor authentication

  1. #1

    Thread Starter
    Lively Member oldVBDev's Avatar
    Join Date
    Aug 2018
    Posts
    72

    two factor authentication

    Hi.
    I have to implement two-factor authentication in my vb6 application. Can it be done? Any suggestions are welcome.
    Thanks

  2. #2
    Hyperactive Member
    Join Date
    Mar 2018
    Posts
    460

    Re: two factor authentication

    What type of 2FA are you doing? SMS? Security Token? Authy? etc

  3. #3

    Thread Starter
    Lively Member oldVBDev's Avatar
    Join Date
    Aug 2018
    Posts
    72

    Re: two factor authentication

    Thanks for your answer.
    I have a difficult scenario. My desktop application works in a closed network, ie not connected to the internet. Maybe I could use users' cell phones so I can imagine using them with text messages.
    Thanks

  4. #4
    Wall Poster TysonLPrice's Avatar
    Join Date
    Sep 2002
    Location
    Columbus, Ohio
    Posts
    3,834

    Re: two factor authentication

    Is email an option?
    Please remember next time...elections matter!

  5. #5
    Smooth Moperator techgnome's Avatar
    Join Date
    May 2002
    Posts
    34,531

    Re: two factor authentication

    Quote Originally Posted by oldVBDev View Post
    Thanks for your answer.
    I have a difficult scenario. My desktop application works in a closed network, ie not connected to the internet. Maybe I could use users' cell phones so I can imagine using them with text messages.
    Thanks
    Well, if it's not connected to the outside world, isn't that going to make things a bit more difficult for 2FA? How are you going to get the text message out? I don't think that's going to work. You could probably try Google Authenticator and OAuth. Once the server knows the login and the current time, can run the algorithim that calculates what the GA token should be, the user then opens their GA app on their phone and enters the code that's displayed there... it should match what the server/app calculated.

    -tg
    * I don't respond to private (PM) requests for help. It's not conducive to the general learning of others.*
    * I also don't respond to friend requests. Save a few bits and don't bother. I'll just end up rejecting anyways.*
    * How to get EFFECTIVE help: The Hitchhiker's Guide to Getting Help at VBF - Removing eels from your hovercraft *
    * How to Use Parameters * Create Disconnected ADO Recordset Clones * Set your VB6 ActiveX Compatibility * Get rid of those pesky VB Line Numbers * I swear I saved my data, where'd it run off to??? *

  6. #6
    PowerPoster PlausiblyDamp's Avatar
    Join Date
    Dec 2016
    Location
    Pontypool, Wales
    Posts
    2,458

    Re: two factor authentication

    Quote Originally Posted by oldVBDev View Post
    Thanks for your answer.
    I have a difficult scenario. My desktop application works in a closed network, ie not connected to the internet. Maybe I could use users' cell phones so I can imagine using them with text messages.
    Thanks
    If you application is only running in a closed network will adding two factor authentication make much difference? For anyone to log on they have already gained physical access to your network and obtained a valid username and password.

  7. #7

    Thread Starter
    Lively Member oldVBDev's Avatar
    Join Date
    Aug 2018
    Posts
    72

    Re: two factor authentication

    Thank you all for your reply.
    Techgnome yours are good suggestions. I will see if they can be prosecuted.
    PlausiblyDamp.
    What you say is true.
    However, physical access to the PC running my application is very limited.
    I hypothesize some remote attempt that I cannot block.

  8. #8
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: two factor authentication

    Without Internet access your options are probably things like biometric devices (fingerprint scanner, camera and image processing, etc.) or "security token" products. The latter range from smartcard and USB "keys" to disconnected keyfob units that present a long number to type in. The "type in" ones usually require an accurate clock if the PCs are not connected to the Internet, and some USB "keys" may as well.

    Phone texting, email, etc. almost always mean you need these PCs to have an Internet connection.

  9. #9
    PowerPoster
    Join Date
    Feb 2006
    Posts
    24,482

    Re: two factor authentication

    A home brew "el cheapo" option might be to create an encrypted "token string" that doesn't change. Place that on a USB flash drive.

    Your program could look for USB flash drive devices and check their root directories for a given file containing the encrypted token. It could then use the Public Key for the encryption to extract the "token" and verify it.

    This has weaknesses of course, but it is fairly cheap and easy.

  10. #10
    Addicted Member
    Join Date
    Jun 2018
    Posts
    189

    Re: two factor authentication

    If you can connect to GSM network may be through a USB modem, you can send text messages via AT commands.

  11. #11

    Thread Starter
    Lively Member oldVBDev's Avatar
    Join Date
    Aug 2018
    Posts
    72

    Re: two factor authentication

    I thank you all. They are all good ideas. I'll study them all, let's see if I take something good out.

  12. #12

    Thread Starter
    Lively Member oldVBDev's Avatar
    Join Date
    Aug 2018
    Posts
    72

    Re: two factor authentication

    I'm thinking of the suggestion of "dilettant".
    I could create an encrypted string which is generated with some PC data where my application runs.
    Thus it cannot be carried on other PCs.
    When installing the application it generated it and I copy it to the app folder and to the usb device.
    When the user logs in, before comparing the string on the usb with the one in the application folder, I verify that it was generated on that pc.
    What do you think about it?
    Thanks

  13. #13
    PowerPoster
    Join Date
    Aug 2010
    Location
    Canada
    Posts
    2,412

    Re: two factor authentication

    Who's your attacker? If the computer isn't connected to the Internet, it must be someone with a physical presence at the computer.

    The computer requires users to login, so it must be someone that is authorized to log in to the computer but not authorized to use your application (yet still able to see and launch it), correct?

    So if they are authorized to use the computer, what is stopping them from getting the secret file from the application folder? Is the environment so hostile that this is necessary?

  14. #14

    Thread Starter
    Lively Member oldVBDev's Avatar
    Join Date
    Aug 2018
    Posts
    72

    Re: two factor authentication

    Hi jbpro
    But the USB stick would keep it only authorized to launch the application.
    No the environment is not so hostile, but the client asked me for an excess of precaution and since it is he who pays me I have to do so.

  15. #15
    Smooth Moperator techgnome's Avatar
    Join Date
    May 2002
    Posts
    34,531

    Re: two factor authentication

    1) Did they add this requirement at the end? Or was it always a requirement?
    2) If it was tacked on at the end, did they add more time and more money to the budget?
    3) If neither of those things happened in #2, it is OK to say "no"... believe it or not, clients will ask for the most ridiculous things sometimes if they think they can get away with it for free. If they're not adding to the budget for this crazy add-on requirement (which is called scope creep by the way, and is a very real thing that happens all the time) ... then they'll keep doing it and keep doing it and keep doing it... It's perfectly fine to tell clients "no" on a requirement, and then to explain why. I've done it before... and not on just small projects, but on large multi-million dollar projects. Sometimes I can get them to understand reason and talk them out of it, sometimes I'm not. But as long as I tried ... and get the budget expanded...


    -tg
    * I don't respond to private (PM) requests for help. It's not conducive to the general learning of others.*
    * I also don't respond to friend requests. Save a few bits and don't bother. I'll just end up rejecting anyways.*
    * How to get EFFECTIVE help: The Hitchhiker's Guide to Getting Help at VBF - Removing eels from your hovercraft *
    * How to Use Parameters * Create Disconnected ADO Recordset Clones * Set your VB6 ActiveX Compatibility * Get rid of those pesky VB Line Numbers * I swear I saved my data, where'd it run off to??? *

  16. #16
    PowerPoster jdc2000's Avatar
    Join Date
    Oct 2001
    Location
    Idaho Falls, Idaho USA
    Posts
    2,393

    Re: two factor authentication

    Another option might be to install and use a badge/card reader for logging in either to Windows or for your application.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width