By: Kurt Seifried, [email protected], Copyright Kurt Seifried, 2001
Like most authentication problems there are many solutions. Finding a solution that fits into your existing framework, and doesn't open up any new holes can be tricky. The other major trick with web based authentication is keeping track of the user during the session, and closing the session off once the user is done (of course the user will often not tell the server when this occurs). Adding to these problems is the simple fact that oftentimes the user will be using an untrusted terminal (public kiosk, etc.) to access the web site, so an attacker may have installed a keyboard sniffer and so on. You will be restricted by your choice of web server, and client platform (especially if you do not control the client platform). Generally speaking Smartcards, fingerprint scanners, retinal scanners, and any other methods that require additional hardware/software will be difficult and expensive to deploy and maintain. Key token and other items offer more hope, since the interface is independent of the computer (you punch your PIN into the card and a number and it spits out a response), unfortunately these items tend to be expensive.