Anyway, nailing down the computer is not as important (to me) as nailing down the user.
It comes down to the three elements of authentication:
* something you know (password)
* something you have (key, maybe a one-time pad)
* something you are (fingerprint)
Most of us can only do the least secure authentication -- password.
bill On Tuesday, March 22, 2005, at 10:07 AM, Mark Weiss wrote:
Bill,
I agree with "locks only keep honest people honest." On one level, I am ok
with that. However, I really wish there was a way to get some machine
specific information to do this. I suppose it creates privacy problems etc,
and even that could be masqueraded I suppose.
Any other ideas?
Mark
On 3/22/05 9:58 AM, "Bill Conlon" <[EMAIL PROTECTED]> wrote:
This is along the lines of "locks only keep honest people honest". There is no reason that the persistent cookie, stored in a file on the PC, can't be stolen or transferred to another system.
On Tuesday, March 22, 2005, at 09:28 AM, Chris Millet wrote:
We did this by simply using a cookie. A cookie is set during the first
session, and then each subsequent session requires username, password
and cookie to enter the site. The cookie restricts access not only to
a single PC, but to a single browser as well.
The important thing is to notify the users about the restricted access
ahead of time and give instructions on what to do if a problem occurs.
When a problem does occur, the users simply sends a request to reset
their account. This provides a way to monitor potential suspicious
activity. So far it has worked very well, and only a couple of resets
are required a month for a base of about 1,000 users.
Chris
On Mar 22, 2005, at 10:50 AM, Mark Weiss wrote:
Hi,
I am about to deploy a system for B 2 B ordering. Does anyone know of
a way,
to set up user accounts from the customers desktop and capture some
unique
identifier from his PC so that in the future, if someone tried to log
in
using their username/password from another desktop, it would not work?
I don't mean to be too paranoid. Just wanting to lock things down as much as is possible to protect us and protect the customer's information.
Running Witango on OSX Panther Server, 10.3.8. Witango 5.5. Apache 1.3.
( And thanks to Robert Garcia, we have not experienced a single crash
at
this point after 2 months. Not a high volume site though, but so far
fast
and reliable. We have a date handling anomaly that I think is a
witango
issue, but other than that life is good. )
Mark Weiss
____________________________________________________________________ __
__
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
_____________________________________________________________________ __
_
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
______________________________________________________________________ __
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
_______________________________________________________________________ _
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
