5

I'm planning introduce two factor authentication to my iPad application. Currently user login to my app using a username and password. That username and password is validate from the back end web server devloped using .Net. If user is authorize to login then he can access the iPad application.

Now I want to introduce two factor authentication to validate user. I want to know what are the options we have here. Since we have user’s phone no with us I was thinking of sending a passcode to his phone each time he tries to login to the iPad application. But iPad doesn’t support sending messages over the GSM/CDMA network. Is there a way to achieve this? (Thought about getting an SMS gateway from the local ISP and writing SMS a server. But it cost more) Third-party module will be ok.

Jonas Lundgren
  • 1,031
  • 11
  • 17
nath
  • 2,848
  • 12
  • 45
  • 75
  • I have seen that dropbox support 2FA. They have provide two options, SMS or using a TOTP application like Duo Mobile,Google Authenticator etc. Any one know how they have achieved it? – nath Jan 20 '14 at 05:12
  • sending the sms from the ipad would be a potential security hole - the OTP needs to be generated and sent by the server otherwise there would be no way for the server for validating it. Alternatives are systems for generating OTPs - either software based like google authenticator or additional hardware like a rsa token – rist Jan 24 '14 at 13:49

5 Answers5

0

You can send an SMS to the mobile phone of the user with a code.

After that the user puts the code and the APP validates the code making a request to the server.

The SMS is sended after the user sucessful introduced the username/password.

Other option (less expansive) is to send that code by email.

Miguel Chaves
  • 139
  • 1
  • 9
0

You should try the google Authenticator

There are other's like https://www.gauthify.com, who offer this service.

You may be interested in looking in this StackOverflow Post.

Community
  • 1
  • 1
Balram Tiwari
  • 5,657
  • 2
  • 23
  • 41
0

I cannot fully express how much I am impressed by Twitter's recent TFA implementation, it is extremely convenient and (assuming they didn't botch the protocol) much more secure than many other forms of TFA.

Here's a description written by Wired.

But to summarize you activate a device for TFA and it generates a private (device)/ public (server) key pair. When you try to login after receiving correct username/password credentials the server sends a push notification to the application on any authorized devices encrypted with the public key and the application decrypts the nonce and sends the nonce back to the server and is given a session.

And of course as others have mentioned, there are prebuilt services you can use such as Google Authenticator, but they tend to be clunkier and there are concerns about SMS and TOTP security.

Camden Narzt
  • 2,271
  • 1
  • 23
  • 42
0

Two Factor Authentication means confirming something the user knows (their password) and something they have in their possession (like a physical key, a badge, or RSA key fob; the important part is it's a physical object other than what you are giving them access into). Sending a push of any kind to the iPad they are using to login to the app defeats the purpose and is no better than single factor (password only). Your only choices are:

  • Distribute an RSA key fob (or similar). Probably not an option because of the cost & management overhead associated.
  • Create an authenticator app that only works on a separate device than the iPad with your app on it (along the same lines as the Google Authenticator app). You can probably prevent the authenticator app being run on the iPad by registering a URI scheme for your protected app and trying to open it from the authenticator every time the authenticator is opened. If the protected app opens that means the user is trying to run both on the same device and the authenticator should not validate them.
  • Send a SMS to their registered phone with an authentication code. By using SMS here you're forcing the user to have both devices to be able to login, which is the key to TFA. Note that a creative user could register a Google Voice number (or similar VOIP with SMS app) on their iPad, thus circumventing the physical aspect of TFA.
RyanR
  • 7,728
  • 1
  • 25
  • 39
0

Check google authenticator. https://code.google.com/p/google-authenticator/

I think it is quiet good for two-step authentication.

Here is source code for server side (it is on php but i think it is not big issue to convert it to .NET or another platform) https://github.com/chregu/GoogleAuthenticator.php

As I know it uses Time-based One-time Password Algorithm http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm

Sergey Pekar
  • 8,555
  • 7
  • 47
  • 54