Assigned: Thu, Apr 18, 2013
Status Report: N/A
Due: Thu, May 9, 2013 (As part of Project 4)
Description
This extra credit asks you to add measures to prevent user account hijacking. You must implement Open Authentication (OATH) and one-time passwords as defined in RFC 4226 and RFC 6238. The simplest way to do this is using Google Authenticator, which has a ready-made PHP module.
Requirements
Allow existing users to add OATH
- Implement a method for users to generate OATH key.
- Display a QR code containing the key to allow Google Authenticator for Android or iOS to easily import hte OATH key.
- Include a good description of your site in the QR code.
- After the user has confirmed acceptance, store the required key data in the database.
Require two-step authentication
- When a user with OATH enabled logs in, require that a one-time password also be entered.
- Validate the one-time password.
- If the one-time password is invalid, the user must not be logged in.
Password reminders and resets
- When a user requests a password reminder or reset, OATH must remain active.
Require new admin and moderator accounts to use OATH (optional)
- Require OATH to be active before a user can be elevated to admin or moderator.
Grading
- Include your OATH implementation in your Project 4 demo.
- Successful implementation of OATH earns 3 points.
- Requiring admin and moderator accounts to use OATH earns an additional 1 point.
Recommendations
- Finish all other Project 4 requirements first. If your user role implementation is incomplete or buggy, correct OATH implementation will be difficult to prove correct.
