Hmm, this might be something River could be distributed with, for a
default security setup?
Triplesec, sounds good, from the website:
Two Factor Strong Authentication for the Mass Market
Do you think that your password protected web sites (or network
applications) are safe? Well, think again^
<http://news.com.com/Companies+urged+to+move+beyond+passwords/2100-1029_3-5865013.html?tag=nefd.top>.
Consensus among network security experts is that unsafe passwords is one
of the most important causes for Internet security breaches, data theft,
and even identity theft. A static password is "what you know" and it can
be easily leaked or guessed. A much more secure authentication solution
is to combine the static password with a device that you have possession
of (i.e., "what you have"). The device typically generates a random
password (called One-Time Password, or OTP) for you to use with the
static password for each login. Since only your device can generate the
OTPs to match the ones generated on the server for your account, a
hacker cannot login to your account without both the physical access to
the device and knowledge of your static password. That is an example of
"two factor" authentication. In fact, the US government mandates that
all online banking services must adopt two-factor authentication by the
end of 2006. If you run a web site with valuable and sensitive
information, would you want to be left with the inadequate static passwords?
However, in the past, moving to OTP-based two-factor authentication is
costly for web site operators and inconvenient for users. The OTP
generator device (keyfob) must be custom made, distributed, tracked, and
managed. The server side authentication software are very expensive and
difficult to integrate into existing infrastructure. As a result, OTP
solutions are only used in the most high-end online services. Well, at
least that is before Triplesec is released. *Triplesec is a low cost
strong authentication solution for web sites, VPNs, and other Internet
applications. It aims to replace today's widely used, but insecure,
static password-based solutions for the mass market.* It has some
distinct advantages over previous generations of OTP solutions.
* *Triplesec is Open Source.* That means you can use it free of
charge. However, a more important advantage of Open Source is that
the code is peer-reviewed by the large user / developer community.
For a security solution, that means less bugs and vulnerabilities.
* *Triplesec has very low barrier for user adoption.* Triplesec
allows users to use their existing mobile phone as the
authentication device (i.e., the "what you have" device). The
Triplesec mobile phone client generates the OTPs. The vast
majority of today's new phones are compatible with Triplesec and
there is no additional service to buy.
* *Triplesec is pure Java-based.* That means the Triplesec server
runs on any server platform and the client runs on almost all
mobile phones.
* *Triplesec uses the standard Kerberos protocol for
authentication.* Since Kerberos is a widely used standard
protocol, the Triplesec server can be easily integrated into the
existing security infrastructure. It has been tested against the
existing Kerberos modules bundled in Solaris, Linux, Windows and
Mac OS X.
To see Triplesec in action, please checkout our online demo^
<http://demo.safehaus.org/>. To use Triplesec to secure your
applications, please [download the server] and refer to the user /
developer guide. If you are interested in building Triplesec from source
and contributing to the project, please checkout our contributor guide.
Niclas Hedhman wrote:
On Sat, Jul 4, 2009 at 12:41 PM, Peter Firmstone<[email protected]> wrote:
I recently stumbled across a complete Java implementation of Kerberos Server
and client software, I'm thinking there may be benefits for River running
with a default authorisation setup, however it's GPL2, so I'd have to ask if
it can be relicensed first.
IIRC, Kerberos implementation is available in the Apache Directory
Server project, together with many other security related protocols
and services.
Cheers
