设置2因子认证 [英] Setting up 2 factor authentication
问题描述
我们正在建设一个新网站,我们希望下锁定到特定的计算机只允许访问,那么一旦电脑被认证,我们将尽我们的内置用户身份验证的过程。
We are in the process of building a new website which we want to lock down to specific computers to only allow access, then once the pc is authenticated we will do our in built user authentication.
此外,当PC是已知的,我们不是真的想就可以(通过客户端),以获得该网站方便地转移到另一台PC电脑什么。
Also, when a pc is known, we dont really want anything on the pc which can be easily transfered (by the client) onto another pc in order to gain access to the website.
请任何人都可以给我们来实现这个'锁定',我们不是真的想往下走的路线AD和有额外的用户数据的负载,以保持最佳方式的点子。
Please can anyone give us an idea on the best way to achieve this 'lock down', we dont really want to go down the AD route and have loads of extra user data to maintain.
在此先感谢。
理查德
Thanks in advance. Richard
推荐答案
IP和MAC地址是微不足道的欺骗。如果没有可信计算,有什么可以真正信任认证的PC。你需要弄清楚什么是你能做什么,让你信任的一个可接受的水平。下面是我们与我们的锁定标记做:他们从PC的一些信息和哈希他们并发送哈希Auth服务器。对于OTP的任何请求,则需要通过散列陪同。它并不完美,但它也能处理相互认证的HTTPS,所以它也阻挠基于网络的MITM攻击。如果令牌被盗,攻击者还必须知道什么信息,以欺骗和欺骗了。再次,它并不完美,但比给PC安全的当前状态,聊胜于无。 http://www.wikidsystems.com/downloads/token-clients 以及我们的SourceForge页面: http://sourceforge.net/projects/wikid-twofactor/
IP and MAC addresses are trivial to spoof. Without Trusted Computing, there is nothing you can really trust to authenticate a PC. What you need to figure out is what can you do that gets you an acceptable level of trust. Here's what we have done with our "locked" tokens: They take some info from the PC and hash them and send that hash to the auth server. Any requests for an OTP then needs to be accompanied by that hash. It's not perfect, but it also handles mutual https authentication, so it thwarts network-based MITM attacks too. If the token is stolen, the attacker must also know what info to spoof and spoof it. Again, it's not perfect, but better than nothing given the current state of PC security. http://www.wikidsystems.com/downloads/token-clients and our sourceforge page: http://sourceforge.net/projects/wikid-twofactor/
这篇关于设置2因子认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
