Jump to content

Two-factor authentication schemes


Anorath_Blue

Recommended Posts

Hey all,

Anorath here, new to the boards, long time lurker and watcher.

Today I was having a chat with my boss about the need for two-factor authentication for our Outlook for Web Access system. It seems the higher ups have a need for greater security when our sales reps and program managers access their email from home and I am one to agree with them. After a lengthy discussion we came to the conclusion of using a system similar to the RSA Secure ID keyfob.

For those who are unfamiliar with this system it consists of a keyfob which flashes sudo-random patterns of numbers ever thirty seconds or so. These patterns are in sync with the server and the user is required to enter these numbers as a part of the login prompt appended to their password. While this system would work and has premade implementations for OWA I can't help but think that there can be a better way to accomplish the same goal using the existing system.

So here is the basis of my idea and please note that I have not had time to actually mess around with a test server. All of the users who are given access to OWA also have a company issued blackberry. I know that there are banking websites which, as a part of their login process send a sudo-random key to the users cell phone which the user then has to enter in order to access their accounts. Putting two and two together I jumped to the natural conclusion.

A user enters their username and password credentials at the standard OWA prompt. The if these credentials check out then a sudo-random key is generated and sent to the users blackberry via SMS via the onsite blackberry server. The OWA access site then asks for the user to enter the passkey (and perhaps username again?). The passkey entered is checked vs. the server-side key and if they match the user is then redirected to the OWA site and can continue as normal.

Now here is my question. How would one go about changing the standard OWA login system to include this sort of second-factor of authentication? Does the exchange system allow for this sort of customization out of the box?

As I said, I haven't had time to load up a test server in a virtual environment to experiment with this idea and its looking like I won't have time until the new year (stupid Christmas backlog and exams). But any ideas or thoughts on this would be most helpful.

Thanks all,

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...