Useful Links

Extra Credit: Two-Factor Authentication

CS418-S13.ExtraCredit History

Hide minor edits - Show changes to output

Added lines 1-45:
(:title Extra Credit: Two-Factor Authentication:)
(:*toc-float Contents:)

'''Assigned''': Thu, Apr 18, 2013 \\
'''Status Report''': N/A \\
'''Due''': Thu, May 9, 2013 (As part of [[Project 4|Project 4]])

!!! Description

This extra credit asks you to add measures to prevent user account hijacking.  You must implement [[|Open Authentication (OATH)]] and one-time passwords as defined in [[|RFC 4226]] and [[|RFC 6238]].  The simplest way to do this is using [[|Google Authenticator]], which has a ready-made PHP module.

!!! Requirements

!!!! Allow existing users to add OATH

* Implement a method for users to generate OATH key.
* Display a [[|QR code]] containing the key to allow Google Authenticator for Android or iOS to easily import hte OATH key.
* Include a good description of your site in the QR code.
* After the user has confirmed acceptance, store the required key data in the database.

!!!! Require two-step authentication

* When a user with OATH enabled logs in, require that a one-time password also be entered.
* Validate the one-time password.
* If the one-time password is invalid, the user must not be logged in.

!!!! Password reminders and resets

* When a user requests a password reminder or reset, OATH must remain active.

!!!! Require new admin and moderator accounts to use OATH (optional)

* Require OATH to be active before a user can be elevated to admin or moderator.

!!! Grading

* Include your OATH implementation in your Project 4 demo.
* Successful implementation of OATH earns 3 points.
* Requiring admin and moderator accounts to use OATH earns an additional 1 point.

!!! Recommendations

* Finish all other Project 4 requirements first.  If your user role implementation is incomplete or buggy, correct OATH implementation will be difficult to prove correct.

History Print Recent Changes Search

Page last modified on April 17, 2013, at 10:45 AM