Use usb uuid as token for centralized 2FA server - token

I looking for a 2FA centralized solution, on Linux (Ubuntu) and Windows, who can use Data USB key as token, for example using UUID device for the token. (I read it's not that much secure but for start it will be fine for us).
The idea is to us it for a user authentication at OS login and after on other web application.
I install LinOTP for try but I don't found a way to do it. The best should be a Open Source solution.
Thank's for help

You could use the yubikey. It might be the most expensive solution, but it probably gets the job done, what you are looking for.
The yubikey 4 is a smartcard. You can simple create PGP keys on the yubikey and use this crypto to authenticate at your Linux login using pam_poldi. Simple and effective.
We also use the yubikey in HOTP mode and have initialized them with privacyIDEA. I wrote a blog article, how you could setup an enrollment stations.
This way you can use the same device for offline local login and for authentication at webinterfaces (using HOTP).
Note: You only need a backend like LinOTP or privacyIDEA for using the OTP part. If you want to use local authentication like PGP, neither LinOTP nor privacyIDEA does currently support this.
Disclaimer: Please note that I was involved with LinOTP and am the project founder of privacyIDEA.

Related

Is it possible to substitute a server backend using Dropbox?

I am developing an iOS application (to be deployed on the App Store) that requires content updates on a weekly basis.
I understand that the best way to achieve this would be to use a server, where the app would query for new data and download responses in JSON. However I am not knowledgeable when it comes to HTML, PHP or MySQL and therefore am endeavoring to find an alternative.
Here's an idea: using Dropbox to substitute for a server backend. My app connects to one central Dropbox account, checks for new files, and downloads them if present.
Is this idea feasible? If not, are there any alternatives?
Dropbox cannot be a dependable substitute for your server/backend for following reasons:
Dropbox uses OAuth for authentication, which needs user interaction. You do not want your app users to go through Dropbox authentication with your 'common' credentials.
Users who have a Dropbox account or the app installed, will most likely use their own credentials to login which completely breaks your flow.
Drobox, although a good way of sharing and syncing files is not meant for more meaningful data like web services etc or user/database interaction etc. Just syncing JSON file may suffice your app's needs for now but from a long term perspective you want a proper back end.
As suggested in the comment by #tkanzakic you can use one of the substitution services if you don't want to get too technical on the backend.
I am pretty late to the party, but this is possible and not necessarily a stupid idea (though this depends on what you need). You might want to have a look at remote storage for example, which allows you to use Dropbox among other providers as backend.
For sure, you can use the Dropbox Sync API to achieve this (https://www.dropbox.com/developers/sync).

Client-server user authentication

UPDATE: I failed to mention earlier that we want solution that will be flexible with authenticating users from within our databases or by asking other servers to tell us if the user is authenticated. It is also worth mentioning that these other servers are not under our control so we can't enforce a specific user model.
I had a long and hard read on OAuth and OpenID but they are both not a suitable solution for our situation and will make the process harder to the user. This is something that has been solved a thousand times, yet I cannot find the solution.
What we are looking for is a framework that can be used in a REST services server to authenticate users (no third-party clients involved) with their username and password.
The solution must not pass the username and password except the first time on login and use tokens for further authentication. Even though OAuth does use tokens, it is designed to allow third-party clients access to the service-providers resources. That is not the case here, the services are for our own application only, the only thing needed is user authentication.
What do you guys think is the most appropriate solution?
Configuration:
-Spring server that provides RESTful services with our thinking going towards using Spring Security with some user management and token management framework.
-iOS Device that will be making HTTPS calls to the server.
What we ultimately want is to have the device send a login request and receive a token if the login was successful, later on make requests using that token. Just like Facebook, excluding third-party involvement.
Is there something that is ready to be configured in our server? Or should we consider building our own token management, comparison and generation software?
Is using Spring-Security with an iOS application without involving storing cookies or redirecting to pages possible?
OpenStack offers as part of it's many projects related to open source cloud... the project Keystone. Which does this pretty much exactly what you want.
You might want to check it out here:
http://docs.openstack.org/developer/keystone/

How to create a server accessible by an iphone app

I a thinking of creating an iPhone/iOS app that would include a feature where one user could create a list of words and then save them to their account on a server. Also (and this is very important), the user could share their list with other users by giving them permission.
So my question is, how can I go about creating such a server? For right now, I have a home computer (running Windows XP that just stores data for my music system) which I can use to host the server. I am also open to the use of other online storage services like Google Drive or Dropbox (I can't remember if Amazon does anything like that). However (and I know this may complicate things a bit), but at least for now, I want/need to stick with free services/options.
Just to recap, the key features that I am looking for are:
create users/accounts (on the server)
eventually I may [try] to incorporate the use of other services to log users in like with their email account, OpenId, etc.
the ability to access (log in to) the server (with credentials) from my app
the ability to send/receive data between the server and my app
the ability to share data between users
I know this is a lot to ask for, but if anyone has any suggestions or can get me going in the right direction, it would be much appreciated.
The basic setup would be as follows:
Backend: Database (MySQL), Web server (Apache), with server side scripting (PHP).
Client: iOS device with developed app.
Communication: use HTTP client/server model, communicating with something like JSON.
This is much the same setup as a web server, but instead of serving html/css/javascript etc the results will be JSON.
As far as implementing specifics such as login in, and sharing data between users, this is purely dependent on your implementation. This is not trivial, and not something that can be easily stated in a single post.
Hope this helps.
You could build your own webservice in PHP, Ruby or Python. If you do so I would recommend building a RESTful webservice (http://en.wikipedia.org/wiki/Representational_state_transfer) and then use RestKit (http://restkit.org/) to handle the data in the iOS app. Especially RestKit's CoreData integration is nice in my opinion.
Another solution would be using a service like Parse (https://parse.com/products/data). The first million or so requests per month are free but after that it could get pricy. I personally have not tried it so I couldn't tell you if it is any good.

Creating a unique-per-user passcode that cannot be employed by other users

I'm developing an iPhone game, and thanks to some backers, I got the funding for finishing it.
I wanted to give rewards to those backers with a "passcode"; they will simply enter the passcode and get rewards in the game.
Of course, any one of them would be able to distribute that passcode to the public...and that's a problem.
What is the best way to achieve something like this? Some kind of one-use password?
My first idea was to connect to a remote MySQL server from my game and check that password if it has been used before etc. But I was told that I shouldn't do that directly, that I need some kind of intermediate platform for it. So for the sake of simplicity, what are your ideas?
You could build some web services yourself to interact with your app. Alternatively you could choose a service that claims to do this for you - e.g parse.com. Have a look at the 'user management' section of the homepage of that site. I don't know how stable Parse is but it does look promising for what you want to do, if you don't want to spend a lot of time. There must be some alternatives out there as well.
Not certain but i dont think there is an MySQL driver handy for this architecture, so writing directly to a server on port 3306 is out of the question (as well as being a huge security risk for your server). I would probably write some simple rest API (in PHP), server side, and do a REST call to the server from the iOS app, a simple request-response over http(s). The response could probably be an xml file (aka a plist) that you could store in the Documents directory - your cue moving forward that the device has a privileged access to your goodies. The server would interface the MySQL to 'consume' the passphrase. PHP can be setup to be relatively safe (from SQL injections, and other 'bad' things).
These two tutorials by Ray Wenderlich demonstrate almost exactly what you want to do. Set up a MySQL database with a Php interface.
Part one:
http://www.raywenderlich.com/2941/how-to-write-a-simple-phpmysql-web-service-for-an-ios-app
Part two:
http://www.raywenderlich.com/2965/how-to-write-an-ios-app-that-uses-a-web-service

CouchApp user registration

I'm building a standalone couchdb application. These are called couchapps. The idea is that the database itself is served on port 80 and returns HTML and works as the actual website. This is a very powerful idea and I'm entirely amazed by this new concept of having your code live inside your database.
But I'm having some issues with user registration. The one built into couchdb allows for cookies to be set and makes it really easy to plug it into your website. But there's several quite important things missing that my app requires in order to say that it has a "proper" user registration system.
There's no signup verification. No email is sent, no captcha is displayed. This means that anyone could spam your _users database and create as many new users as they please.
If a user forgets their password there's no facility to help them recover it.
Any idea how I could overcome these issues without doing any hardcore Erlang development at a lower level (not an Erlang guy)? It would also be great if anybody knew if I could be using OAuth to authenticate against Twitter or GitHub accounts and have that integrate seemlessly with how couchdb data is handled (inside validate_doc_update functions).
Thank you
While the built in user database can work, I would not recommend it for the workflow you describe. Here are some other options:
Browser ID
I would really recommend using BrowserID. IrisCouch has provided a plugin to couchdb here:
https://github.com/iriscouch/browserid_couchdb
This will take care of the normal registration workflow.
If you want to take it a step further and have your users "Fairly Anonymous", you can follow the example of this couchapp called "Mingle"
https://github.com/thedod/Mingle
Twitter Integration
Max Ogden's "DataCouch" project has a log in via twitter, although it is using some Node external processors to make it work. See here:
https://github.com/maxogden/datacouch/blob/master/processors/auth/twitterauth.js
Facebook integration
https://github.com/ocastalabs/CouchDB-Facebook-Authentication
OpenID
https://github.com/mcaprari/couchdb-openid
I dont think you can use the oauth purely with Couch, as this post suggests:
http://bennolan.com/2011/01/11/couchdb-oath.html
so the closest you will get there is following what Datacouch has done.
Hope these suggestions help.

Resources