He might have seen something like the RSA dongle that some cryppies have been playing around with and cracking [bits.blogs.nytimes.com]. Have no idea how it would be implemented, but hope it's somewhat of a start.
Hmm...thanks, but that looks really overkill for what we need.
I could think of ways one could implement something like this without too much effort. However only of ways that only look like they provide additional security.
For example you could write a program that generates a unique id every time it is started and submits this id to the website every x seconds and also displays the id to the user. To log in the user has to submit a valid key in additon to his login details. If the id is no longer submitted from the program to the website the users session is terminated. The program also checks every x seconds if the USB stick is still plugged in, and if not stops submitting the id.
Something like this.
Does your boss want additional security or does he only want to look cool with his USB stick and have the USB stick as some insignia of power? Like keys to the CEO restroom?
I am pretty sure he wants additional security...IE No one can access the website at all unless something is provided on the user-end. (I am open to any suggestions to that)
However, he wants it to be portable for non-literate computer people. Something he can just plug into a USB port that lets them access the web site.
And, yes, I think he just wants to look cool.
However, if there are easier options I am open to suggestions. I might be able to play up my 'No, maaan, that's not cool anymore!' speech.
In order for something on a USB stick to "provide something to the website", some sort of program will need to run on the users PC and communicate with the site. This activity looks so like a virus that most computers will block the communications in the firewall or in their internet security.
The best you could do would be to have a program on the memory stick that generates a supposedly random number. Base this on the current date and time and some other static predefined characters and then apply MD5 or something similar. Every time the program is run, a different number appears. Have this key shown on a totally impressive "Your Personalised Security Key" screen.
Bonus points if you can make this key dozens of characters long and you can disable cut and paste "for security reasons".
On the website, have the standard htpasswd user name and password challenge to keep people out, then a totally impressive splash screen that demands the "Boss Security Key". Enter that number in the box and let the script de-MD5 it to get the original date and time and the original static character string back out. Now compare the date and time supplied by the server clock with that entered by the user in the "key" and if they are within 5 minutes of each other, allow access.
Bonus points if you arrange that the name of the security key program is an acronym that spells out IDIOT or something similar...
I like the cut of your jib.
And extra bonus points if the skiddies don't decide to try to get into the "secure site"..just for the lulz..
g1smd :) ..good thing I'm changing this tee shirt, I've got wine down it now ..:)) you should give warnings ..
I presume you'd also advise an animated "enhanced" pixels login screen like the flash movies on the CSI screens ..remote finger print ID even..ID thumb drives exist.. for the "bat belt" market..
weblamer ..how much budget does "the boss" have for this ? we might all be able to make a combined "pitch"..if it is windows there is even the option to have it trigger a "welcome" boss via a prompt to VBS or action script using the "mary in space voice" if he puts his eyeball for retinal scan, close to the webcam..
|that looks really overkill for what we need. |
Of course it is, that's why he wants it ;)
You can use self signed certs to restrict access to Appache to hosts with the apropraite certificates installed.