Keeping PCs Safe on the Internet

PC Security Journal

Subscribe to PC Security Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get PC Security Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


PC Security Journal Authors: RealWire News Distribution, Denise Dubie, Lacey Thoms, Bob Gourley, Michael Bushong

Related Topics: Apache Web Server Journal

Apache Web Server: Article

Mass-Market Two-Factor Authentication using Open Source Technologies

Mass-Market Two-Factor Authentication using Open Source Technologies

One-time password (OTP) based two-factor authentication solutions are commonly used to secure VPNs, web sites, and online transactions. They are much more secure than authentication methods based on static passwords. In fact, the US government mandates that all online banking services must adopt two-factor authentication by the end of 2006. However, existing OTP systems are expensive to implement for mass market online services for two reasons: first, a security token device, which generates OTPs, must be distributed to the user and properly managed; second, the authentication software is expensive and integration with existing Java EE web sites is not trivial. Recent advances in open source security solutions in both Java EE and Java ME allow us to develop cheap two-factor authentication solutions for the mass market.

In this hands-on session, we will discuss how to integrate a stack of open source tools and frameworks to enable end-to-end two-factor authentication for Java EE servers. Any user with a Java ME mobile phone will be able to use the service. Open source tools covered in this talk include: Apache Directory Server (a pure Java directory server with Kerberos authentication service support, see http://directory.apache.org/), Haukey (the J2ME OTP generator for mobile phones, see http://hauskeys.safehaus.org/), and Triplesec (server side OTP generator, the management interface and application server integration kits, see http://triplesec.safehaus.org/). At the end of the session, you will be able to add two-factor authentication services to better protect your web site users (and yourself) for free.

More Stories By Michael Juntao Yuan

Michael Juntao Yuan is a member of JDJ's editorial board. He is the author of three books. His latest book, "Nokia Smartphone Hacks" from O'Reilly, teaches you how to make the most out of your mobile phone. He is also the author of "Enterprise J2ME" - a best-selling book on mobile enterprise application development. Michael has a PhD from the University of Texas at Austin. He currently works for JBoss Inc. You can visit his Web site and blogs at www.MichaelYuan.com/.

Comments (4) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
Arnnei 05/09/06 07:10:58 PM EDT

The first company in the market to offer J2ME based TFA OTP was Mega AS Ltd (www.megaas.co.nz) who designed and applied for patents in 2003 for its J2ME OTP Cellular Authentication Token (CAT).
Using the CAT, Mega AS has also developed the concept of eAuthentication Service and offers it to SMEs who don't want to install and manage its own Server Authentication module.

It is recommended to use authorized and patented solutions rather then Open Source that may be open for IP charges.

Arnnei 05/09/06 07:10:52 PM EDT

The first company in the market to offer J2ME based TFA OTP was Mega AS Ltd (www.megaas.co.nz) who designed and applied for patents in 2003 for its J2ME OTP Cellular Authentication Token (CAT).
Using the CAT, Mega AS has also developed the concept of eAuthentication Service and offers it to SMEs who don't want to install and manage its own Server Authentication module.

It is recommended to use authorized and patented solutions rather then Open Source that may be open for IP charges.

Arnnei 05/09/06 07:10:28 PM EDT

The first company in the market to offer J2ME based TFA OTP was Mega AS Ltd (www.megaas.co.nz) who designed and applied for patents in 2003 for its J2ME OTP Cellular Authentication Token (CAT).
Using the CAT, Mega AS has also developed the concept of eAuthentication Service and offers it to SMEs who don't want to install and manage its own Server Authentication module.

It is recommended to use authorized and patented solutions rather then Open Source that may be open for IP charges.

Christian Donner 02/09/06 03:49:01 PM EST

For those who don't want to program yet want to have an Open Source-based two-factor enterprise-class authentication solution (with Radius server), there is smsRadius:

http://smsradius.us/images/architecture.jpg

smsRadius sends and receives short messages, connects with any network resources that use Radius authentication (e.g. most hardware firewalls), and includes a full-fledges PKI with Web-based certificate management for users.