On 23 March 2013, at 22:59, Mehmet Erol Sanliturk <[email protected]> wrote:
> The following steps may be another idea : > > Assume that you supply to your users a small login program prepared for them > specifically ( since you are using SSH ) : > > Compile that program for each user with a special identifier for him/her and > ship this program to your user and require that the login will be performed > by this program . This program will send a very long code to your system > with user password which is only known to you and to your user . Since > external users will not know this code , they will not be able to login into > their accounts by using only password . > > This will also easily identify fake login trials : It is very obvious that to > estimate a very long code will require a large number of tries : If code > fails , it means that login trial is from a fake user . > If password fails , it may be allowed a fixed number of trials ( The banks > are allowing only TWO failed passwords , on third , a new attempt can be made > after 24 hours , in Turkey ) . > > This program may also additionally send computer signature to your system > which is previously send to you on subscription computed by a program > prepared by you . > > If the user changes / or uses a different computer , he/she should supply a > signature of the computer . > > Here , important point is that , always you should verify that you are > communicating the real user , not a faked user in behalf of the real user . > > For the stolen program/codes , prepare a new program and ship to the user . Thats an interesting approach but becomes difficult to use when traveling as you have no idea what computer you will be able to use today until you get to it. Then you might have only a few minutes access to it before moving on. > > Another idea may be the following : > > Assume the user computer is NOT captured by a criminal bandit . > > On subscription , send to the user a square bar code printed on a card like > credit card having a very long code specifically prepared for the user . > On login , the user will show this card to the camera of the computer and > will be transmitted to your system . In your system , it will be decoded , > and it will be used to identify the user with his/her password . > > If this application is used , it may not be necessary to send the users a > special login program prepared for each of them . > This idea shows a lot of promise. I have to figure out how to tie it into mail, web etc. There is libqrencode for creating the QR images. I am downloading it now. -- Doug _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
