jtara - 5:17 pm on Jul 8, 2006 (gmt 0)

Here's a thought: the Apache web server has pluggable authentication modules. There are quite a number available, (for example, to authenticate against user ID/password stored in various kinds of database such as MySQL, against LDAP, etc.).

Apache also has mod_proxy, which can make it act as a proxy server.

At worst, then, you'd have to modify an example authentication module so that it changes the password after each use. But perhaps such an authentication module already exists. (It does - see below!)

Better yet would be to use a SecurID device. This is a little keychain-fob device that has a numeric keyboard and small display. These are used by banks, brokerages, etc. My stock broker provides me with one of these to access their site.

RSA SecurID® hardware tokens provide "hacker-resistant" two-factor authentication, resulting in easy-to-use and effective user identification. Based on RSA Security’s patented time synchronization technology, this authentication device generates a simple, one-time authentication code that changes every 60 seconds.

First, you enter a PIN into the device. The website displays a number before logging-in. You also enter this number into the device. It then displays a temporary passcode, which you then enter into the website. Upon next use, it generates a new temporary passcode. This scheme is one means of implementing so-called "two factor authentication".

And, of course, RSA (the manufacturer - I'm sure there are other manufacturers of similar devices) provides an Apache authentication module! (RSA Authentication Agent 5.3 for Apache Web Server).

I dunno the costs or if this would be practical for an individual to implement. It does appear that the authentication agent is a free download, though. I also see that they are offering a free Authentication Manager and SecurID Token trial for developers. :)

I see a couple of intriguing commercial opportunities here:

1. A third-party proxy service. Not as secure as running this on your own home computer, of course, since you would have to trust the service. Probably best if done by a trusted big name.

2. A website explaining just how to do this. In my searching, I did not come across a site explaining just how to do this at home. I think it would make an intriguing mini-site (which could potentially draw high-value security-related ads). If you have the time, you just might develop such a site as you poke though the RSA documentation and experiment with your server. :)

If you do a search for "SecurID" you will come up with all sorts of intriguing possibilities, both in the natural search results and in the ads. For example, somebody has a password scheme that uses your typing rhythm for authentication.