So what is two-factor authentication? I’ll defer that explanation to the Wikipedia page on the subject. Most systems require users to identify themselves using a username and password. The problem is that if people choose a weak password, which evidence suggests they do, suddenly your secure authentication system is not so secure. Using “something you have” in the authentication process makes it much more secure. Take cash machines as an example. If I discover your PIN number, I can only take money out of an ATM if I am in possession of your bank card. Without the card, knowing the PIN number is not going to help me steal your money.
I’ve created an Alfresco extension that implements two-factor authentication using a YubiKey.
What is a YubiKey? It’s a device that you plug into your USB port and it generates one time passwords (OTP). It’s similar to RSA’s SecurID, only a lot cheaper. So now, in addition to specifying your username and password, you also have to submit a OTP when logging in – the OTPs are validated by Yubico’s servers.
Using a key like this makes logging in a lot more secure as it is now no longer possible to log in just using a username and password. In addition, each key is tied to a particular user account – the extension takes care of this – so it’s not possible to just use any key; the user has to use the key that has been (uniquely) assigned to them. The screencast below shows how it works.
[yframe url=’http://www.youtube.com/watch?v=jlc1DrPkX5c’]
I will release the extension shortly. You can download the extension from here. I’ll be attending Alfresco DevCon in London so come and say hi and I can give you a live demo of the system. In the meantime, if you have any questions, feel free to leave a comment or send me an email.