DIY 2Factor using OpenID Connect as the authentication API

1
DIY 2Factor using OpenID Connect as the
authentication API
There is no license fee for passwords. It may
sound silly, but businesses are simply not used
to the idea that they need to pay for
authentication. Also, the idea that passwords are
dead is crazy. Companies already manage
passwords for people. However, as everyone knows,
passwords alone are a recipe for disaster. So
what is a domain to do if they want to add a
second factor of authentication, but they dont
want to add yet another SaaS fee or annual per
user license? QR Code   Tiqr is a free, open
source solution developed by SURFnet. Surfnet has
published an Android and iPhone application to
scan a QR code, which can be displayed on a web
page. If youre ok instructing people in your
domain to use a Surfnet branded app, its a good
option. Gluu offers Tiqr authentication as part
of its Gluu Server subscription offering. If you
want to deploy the Tiqr server yourself, it uses
SimpleSAMLphp to pubish the authentication APIs,
which is pretty easy to install / manage. Its
also possible to perhaps customize Surfnets open
source applications, to give the app a look and
feel more appropriate for your domain.
2
Push   If you can enroll a Persons mobile
device, and push a message to that device, its a
very strong indicator that the person has really
authorized a transaction. Red Hat has published
an open source server called AeroGear Push that
acts as a facade for the Apple, Google and
Mozilla push networks. There is a nice diagram.
Instead of having to learn the APIs of each of
these networks, you can make one request such as
this   curl -u "MobileVariantIDsecret" -v
-H "Accept application/json" -H "Content-type
application/json" -X POST -d ' "deviceToken"
"someTokenString", "deviceType"
"iPad", "operatingSystem" "iOS", "osVersion"
"6.1.2", "alias" "someUsername or email
adress...", "category" "football", "simplePushEn
dpoint" "http//server.com/someEndpoint" '
3
The nice thing about the PUSH approach is that
the app doesnt even have to be running for the
notification to work, as it is received at the OS
level.   Phone   Ok, its not totally free, but at
the price service providers like Callcentric sell
SIP service, the cost is pretty negligible. In
the Asterisk VoIP platform, you can create a
dialplan to call a number (that you have
pre-associated with the person) and read the
DTMF, which could be the person pressing or
some pin number. Asterisk hooks to Java with the
Asterisk-Java library, so you can keep all your
actual business logic in Java, and just use
Asterisk to read the DTMF, and to dial the phone
number via the SIP trunk.   Browser
Certificate   The usability has been terrible, so
this is not something I recommend unless you work
with an organization full of geeks. But you can
launch your own Certificate Authority, or use a
free service like CACert.org for user
certificates.   Network / Location  
4
Used with care, the network (or if you look up
the respective location of that network) can help
you to identity the person. Some domains might
allow one method for authentication from their
office, and another for remote access. The
location can be pretty specific. Some companies
are remembering previous locations, and using it
for authentication. However, youll need to read
the license agreement of the api to see if your
application can use it for commercial purposes.
Location can also be a pretty good indicator that
its NOT you for example, LinkedIn will notify
you via email if someone tries to login to your
account from a foreign country.   NFC   The price
of NFC stickers and tags has come way down.. in
bulk, as low as 0.20 a piece. I just ordered a
few from RapidNFC. NFC is both readable, and
writable. There is not much roomonly about 64
charactersbut enough to put a URL or access
token that can add security over password
alone.   Browser Session Information   Cookies
are also not a very strong way to a identify a
person, but many consumer services use them as a
factor. For example, when you go to Amazon,
they say recognize you, and step-up the
authentication when you place an order or edit
your profile.  
5
The Context   The best possible usability for an
authentication mechanism is the one you never
see. A relying party (i.e. a website) can add up
all the contextual piece of information to
determine if interactively authenticating the
person is necessary for their respective
transaction. The trendy jargon for this is
adaptive authentication. I cant tell you what
those indicators are for your business they may
include device ids, or something specific to your
service offering or product. But use em if you
got em.   Publish an authentication API   Once
you figured out what factors you want to use for
authentication, you may want to look at OX as a
way to publish a standard Oauth2 API for your
authentication mechanism. This Gluu blog contains
information on how to use OX Custom SSO
Authentication scripts to use Python to code the
business logic. You can also watch the Gluu video
on Strong Authentication.   Article Resource
http//thegluuserver.blogspot.in/2013/10/diy-2fact
or-using-openid-connect-as.html