[TYPO3-dev] Improving login security in TYPO3 (BE+FE)
Kay Strobach
typo3 at kay-strobach.de
Wed May 16 12:28:46 CEST 2012
Hi Dave,
so you have the second yubikey type i know now ;) - it's different from
what i know
> field. So if my Typo3 password were 'password' and '123456' was
> displayed on my phone, I would enter the following in to the
> password
> box :-
>
> password123456
This works, as long as you do not hash the password client side ;)
E.g. with challenged or superchallenged setting install tool :)
> You know that the last six characters of the password field are
> the
> token, so you can separate them out and send the OTP to the
> google
> service and the password through the normal Typo3 auth service.
You do not need to contact google at all ;) - google just provides the
app and the algorithm - https://code.google.com/p/google-authenticator/
It implements :
> These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.
Regards
Kay
--
http://www.kay-strobach.de - Open Source Rocks
TYPO3 .... inspiring people to share!
Get involved: http://typo3.org
Answer was useful - feel free to donate:
-
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=KPM9NAV73VDF2
- https://flattr.com/profile/kaystrobach
More information about the TYPO3-dev
mailing list