用户名/密码之外的安全性? [英] Security Beyond a Username/Password?

问题描述

我有一个Web应用程序，其安全性要求超过普通Web应用程序.当任何用户访问域名时，他们会看到两个文本字段，即用户名字段和密码字段.如果他们输入有效的用户/密码，则可以访问Web应用程序.标准的东西.

I have a webapp that requires security beyond that of a normal web application. When any user visits the domain name, they are presented with two text fields, a username field, and a password field. If they enter a valid user/pass, they get access to the web application. Standard stuff.

但是，我正在寻找除此标准设置之外的其他安全性.理想情况下，这将是一个软件解决方案，但是我也愿意接受硬件解决方案(硬件=密钥卡)，甚至可以进行程序更改(例如，一次在密码键盘上使用密码).

However, I'm looking for additional security beyond this standard setup. Ideally it would be a software solution, but I'm also open for hardware solution as well (hardware=key fobs), or even procedural changes (one time use passwords on a password pad for example).

Webapp的独特之处在于我们提前认识了所有用户，我们创建了他们的用户名和密码并将其提供给他们.从这个意义上讲，我们可以确保用户名和密码是"strong".

The webapp is unique in that we know all our users ahead of time, and we create their username and password and give it to them. In this sense, we can be assured that the username and password are "strong".

但是，我们的客户已要求除此以外的其他安全措施.任何人都对如何增加安全性的另一层复杂性有任何想法?

However, our clients have requested additional security beyond this. Anyone have any ideas on how to add another layer of complexity to the security?

推荐答案

我们公司使用 PhoneFactor ，我们绝对喜欢它.

Our company used PhoneFactor and we absolutely love it.

我们过去也曾使用过安全字令牌.

但是，这并不是本书中唯一的游戏.我将从首先搜索"两个因素开始身份验证"

However, it's notthe only game in the book. I'd start by googling "Two factor authentication"

OWASP身份验证指南是另一个不错的起点.实际上，OWASP是我要寻找任何网络安全问题的第一位.

The OWASP guide to authentication is another good place to start. Actually, OWASP is the first place I'd look for ANY web security question.

这篇关于用户名/密码之外的安全性?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！