[TYPO3-dev] Improving login security in TYPO3 (BE+FE)
Dave Sexton
list-typo3 at jack.org.uk
Wed May 16 12:22:17 CEST 2012
On Wed, 2012-05-16 at 11:41 +0200, Kay Strobach wrote:
> Hello Dave,
>
> as far as i know, this won't work with challenged
passwords ...
I thought the Google thing was a OTP generator, not a
challenge-response?
> Yubikey seems to use the same algorithm as google ;)
.. In which case, what I suggested should work. With Yubi (and
most
other OTP generators), there is no two-way conversation between
the
authentication service and the token generator.
Every time I press the button on the Yubikey, it generates a
unique 44
character string. That string includes an identifier for the
token and
the OTP itself. Those two bits of information are sent to the
authentication server (which securely holds a copy of the
'secret' [AES
key] held within the Yubikey). The server then responds a
success or
failure.
I have just seen the demo video on Google. It looks like a OTP
generator
with a 6 digit token.
While it is much nicer to ask users for the token in a separate
input
box, it is far easier to implement as a combined entry in the
password
field. So if my Typo3 password were 'password' and '123456' was
displayed on my phone, I would enter the following in to the
password
box :-
password123456
You know that the last six characters of the password field are
the
token, so you can separate them out and send the OTP to the
google
service and the password through the normal Typo3 auth service.
Jack
More information about the TYPO3-dev
mailing list