Modelon Solutions

I was doing a little architecture for a client who kept on saying : more security, more security !

Considering their site is hosted over SSL, with no public APIs to attack, all the best practices in place, using usernames and passwords – I was wondering what more could we do; what was I going to do to help these guys out.

My bank has an approach where ask me an additional piece of information, like my cat’s name when I login. But that is basically just like having a second password and I am not too sure how much real security this brings to the table.

Then it hit me…

About two months ago, I activated two factor authentication on my outlook.com account, I was leaving on vacation and I figured, why not protect my account a bit more while I go off and roam on unknown networks… The idea is basically that you must enter your password, and then some sort of code that only something you carry with you (i.e. your phone) can generate (this code changes every 30 seconds). That way, if somebody intercepts your password, he cannot generate the code required because he doesn’t have your device. If you lose your device, you know you were “hacked” and just remove that device from your account.

I did a little research on how all this stuff works, and it turns out that it is pretty generic, as in you can integrate it into your own apps. On the technology side you need to integrate TOTP to your website and your users will need some sort of authenticator app on their phone (Microsoft built one for Windows Phone 8, Google has one also and I can only imagine that Apple has one for IOS).

I was going to tell everyone how to integrate this into your web site with packages that you find on the internet, but then Microsoft did something cool – it release version 2.0 beta 1 of the asp.net identity stuff which has baked in support for multi factor authentication… how awesome is that !!!

I haven’t had time to try the new packages yet, but will be using them in two new projects I am starting. As soon as I get there, I will post my findings on how to get this stuff working as I find it awesome. Also, my implementation will rely on RavenDB, so I will have to jury rig something special to get it all working nicely together.