Multi Factor Auth

Recommend this page to a friend!

      PHP Classes blog  >  PHP Multi-Factor Auth...  >  All threads  >  Multi Factor Auth  >  (Un) Subscribe thread alerts  
Subject:Multi Factor Auth
Summary:Sequential Authentication Methods
Messages:3
Author:Cyril Ogana
Date:2015-05-26 05:59:25
Update:2015-05-26 22:16:32
 

  1. Multi Factor Auth   Reply   Report abuse  
Picture of Cyril Ogana Cyril Ogana - 2015-05-26 06:29:47
Hi Dave. Thanks 4 the post. One of Owasp Guidlines is "Validate the authentication data only on completion of all data input, especially for sequential authentication implementations".
I would take it that a method which uses say a password followed by a 6 digit SMS token fall under this category. Would finding some way to re-authenticating the password when doing 2nd factor?

  2. Re: Multi Factor Auth   Reply   Report abuse  
Picture of Dave Smith Dave Smith - 2015-05-26 07:33:50 - In reply to message 1 from Cyril Ogana
I am assuming the events would be...

1) User logs in with a username and password pair, or just a password if the system requires unique passwords for each user.

2) Password is validated and the system sends a unique 6 digit PIN to the registered mobile number via SMS.

3) User enters the 6 digit pin as a token.

When the pin is entered, all data has been entered and then we perform the authentication... username and password and token match, user is authenticated. I think this is in compliance with the Owasp guidelines.

The 6 digit pin should be unique and new for each new authentication request and expire after a short period of time.

Dave

  3. Re: Multi Factor Auth   Reply   Report abuse  
Picture of Cyril Ogana Cyril Ogana - 2015-05-26 22:16:32 - In reply to message 2 from Dave Smith
Thanks, am getting the concrete idea about it now...and multi-factor in general

 

For more information send a message to info at phpclasses dot org.