Ok so I need 2 of the 3.
Something the user knows.
Something the user has.
Something the user is.
I have a system that is exposed to the internet and we need clients to connect in a secure manner to satisfy our security standards.
I’m thinking when a user registers to use our system we send them an application that they install on their home system. The application generates a key based on a timed randomness algorithm. Our application server has the same algorithm so when the user submits their credentials with the key we know that they are a legitimate user.
Is this a valid method of 2 factor authentication?
What is another way of doing this?
Are there any pitfalls that I should be aware of?
Thanks for your help!
Yes, this is a valid method of performing two-factor authentication. The token security (the program on the computer) is of course only as safe as the computer is. If its running Windows, all bets are off.
You can also go to RSA or other vendors and license their SecurID (or other brand) tokens, as well as the necessary middleware. Its a validated solution, and at the very least there is someone else to blame.
For time based systems, there is usually an allowed “window” where the token is valid (more than the roll-over point) to allow for time skew. You can also check with an NTP server (using SNTP, simple to implement) to get accurate time information.
As with all security systems, there are numerous pitfalls. They are very hard to get right. Be warned. Buy insurance 😉