13

Suppose you want to add an extra layer of credentials on top of a SSL-encrypted login/password, but you don't want to increase complexity to the user. Is there a way to add the requirement of the possession of a dongle to web-server authentication schemes with existing cross-platform browser capabilities?

In other words, to get access to the web-site, you would need a username, password, and a USB dongle that has been plugged into the client computer. The dongle would presumably do some sort of challenge/response.

It'd be ideal if this dongle solution worked with Firefox automatically or with the simple addition of a plugin.

Thoughts and suggestions are appreciated.

GEOCHET
  • 21,119
  • 15
  • 74
  • 98
Brian M. Hunt
  • 81,008
  • 74
  • 230
  • 343
  • Any type of copy protection really sucks. Including dongles. Dongles are probably the worst of the lot. Good luck with that. – GeoffreyF67 Jan 26 '09 at 20:30
  • @GeoffreyF67 why would the only use case be for copy protection? It could be about extra security. – michaelmichael Jul 11 '10 at 20:31
  • @michaelmichael: Quite right. My concern when asking this question had nothing to do with copy protection (and indeed copy protection never even crossed my mind, but I suppose that's a use for dongles) -- authenticated access to functionality is at the root of my concerns. – Brian M. Hunt Jul 11 '10 at 22:31

5 Answers5

19

You may be interested in the Yubikey.

It's a small usb dongle that acts as a usb keyboard (i.e. needs no special drivers or client software) and is designed exactly for this sort of authentication.

dF.
  • 74,139
  • 30
  • 130
  • 136
  • How are you proposing a browser would access this hardware? – GEOCHET Jan 26 '09 at 20:18
  • It doesn't -- the device has a button which the user presses to authenticate to the website. – dF. Jan 26 '09 at 20:19
  • wish product keys were that easy – ccook Jan 26 '09 at 20:20
  • Sounds like a pretty good idea, however, since it just emulates a USB keyboard, there's no guarantee that the user has it plugged in, and that they aren't just typing in the password on a regular keyboard. – Kibbee Jan 26 '09 at 21:21
  • 2
    Disregard that last comment, after doing more research, it seems like it works a lot like RSA SecurID, and generates a new key every time. – Kibbee Jan 26 '09 at 22:11
  • Looks very interesting. Thanks for posting. – Brian M. Hunt Jan 27 '09 at 04:32
  • @Kibbee Kibbee, both your statements were correct. You can choose to configure a YubiKey with a static password. Or you can configure the YubiKey to generate a [One-Time Password](https://en.wikipedia.org/wiki/One-time_password) (OTP). For web app authentication, the user clicks or tabs into the login field, and touches the touch-sensitive button on the YubiKey. The device acts like a keyboard, robotically typing its identifier and OTP into your web form. Server-side, your web app verifies with Yubico’s servers. Those Yubico servers predict the values to be generated by the device. – Basil Bourque Mar 11 '14 at 13:27
  • This answer could be improved by noting the FIDO/U2F standard (that YubiKey created/supports). – Brian M. Hunt Nov 23 '16 at 13:47
8

You could use RSA SecurID tokens, which are little keychain displays that change the number displayed every one minute. In addition to requiring the username and password, you can also require them to enter the number they see on their token to verify they have the hardware device with them. There are various hardware dongles, with some even requiring a PIN to be entered to see the changing number. The is extra complexity on the server side, but the client doesn't have too much trouble.

Kibbee
  • 65,369
  • 27
  • 142
  • 182
2

I've had good results implementing website authentication and login using Dinkey Dongles and the DinkeyWeb system.

The user plugs the usb security dongle into their machine, visits your "protected" web page and it validates the dongle before loading the page. Works without special permissions or privileges.

Hope it helps.

Nick Smith
  • 146
  • 2
2

I've also used the Yubikey with good results. Another similar solution is the Swekey - you might want to check that out also.

metadaddy
  • 4,234
  • 1
  • 22
  • 46
1

It's going to require something that has the rights to access the dongle. There is also the issue of hacking it--the communications aren't going to be able to be hidden so you have to make sure it doesn't matter. That means the dongle is going to have to implement it's own crpyto. You'll also need support for whatever systems you are going to support.

I see this getting very complex very fast.

Loren Pechtel
  • 8,945
  • 3
  • 33
  • 45