Double authentification

[scatter]

I am looking for a double authentification method anyone have a great idea that is especially really secure? and my idea about it is : the 1st using email and passwd but the 2nd generates an encrypted password randomly and without that encrypted passwd that was generated auth fail but what am affraid of is "hard luck" :p , yeah I know if its encrypted it will take too much time to identify the correct one but well I try to eliminate even that 1% chance

[scatter]

I found this but am not sure what do u think about it

http://websec.io/2013/10/28/Implementin ... wilio.html" onclick="window.open(this.href);return false;

[scatter]

Also what do you think of seperating the credentials depending on different dbs? I mean for example the db called products has standalone credentials and logins db has others ?
Would that make things harder in case someone could in a way or another compromise one of both dbs?

[bad_brain]

I don't know....my philosophy is: keep all in your own control. 2 databases also double the risk imo, and you never know how far you can trust 3rd parties.

random passwords only make sense if you disallow users to change them, which will annoy people. the best is to force a specific password security level (like min. 7 digits, upper/lower case, at least 1 number and 1 special character)...if used together with a decent salted hashing algorithm and general site/server security you're safe enough.

in the end there is no 100% anyway...all you can do is to add some more 9s after the 99.9%.

[lilrofl]

I've used Google authenticator to 2-factor SSH before, I know there are a lot of Google haters so I won't go into it too much.

You download an authenticator application, and you generate a shared key to sync the authenticator with the secured program.

When you log into the secured application it will ask you for a code, which is generated every 60 seconds on the authenticator.

It was designed as a more secure way to access gmail, but it's autonomous and was pretty easy to implement into openSSH... I have no idea if it would work for your purposes, but it might be worth a look.

[ayu]

I've also used Google authenticator for my servers at home and it works great .

[CommonStray]

Two factor authentication is good, and there are other providers out there rather than google.

[lilrofl]

Yeah, there are a lot of options. I just like Google Authenticator because I've used it for quite a long time. Since going closed source though, there have been a few forks of the project which are equally nice:

An independent fork of the Android version of the software named OTP Authenticator has been created, which is based on the last version of the open source code that had been provided by Google.

Another Open Source fork named FreeOTP has been published by Red Hat.

A decent primer of multi-factor authentication options can be found at LastPass (an unrelated service)

Code: Select all

https://helpdesk.lastpass.com/security-options/multifactor-authentication-options/