Rolan Yang wrote:
> At the Joomla Day during the security breakout
session, the
discussion drifted towards various methods of login
authentication. The
topic of SecurId was mentioned as being an expensive
alternative. I just
noticed today that Paypal is offering a SecurId keychain fob
for $5. It
would be simple to write a small php authentication function
which acted
as a proxy to paypal, accepting an email, password, and
securId code,
sending a off a https request, parsing the response and
returning an
TRUE or FALSE authenticated result.
>
As an alternate method of doing security, you could use the
SecurID and
perform a payment process to verify the logon.
IE, someone goes to your website and clicks on a Secure
Logon link.
Your site directs them over to make a Paypal
"purchase" of 1 cent.
They logon to Paypal, using their userd, password, and
secureid
keychain(if they so desire).
The payment is processed and Paypal returns them to your
website.
You verify the payment and grab their paypal account email
address to
verify the account they are logging into.
The downside of this is every logon costs a few cents(the 1
cent fee,
plus Paypal minimum fees on you).
The upside is that even if your website is completely
compromised, the
only paypal id that is compromised is the one used to accept
payments.
All the other logons occur on Paypal's site so you never
capture userids
or passwords(well, ok, you capture userids since paypal uses
the email
address. But you won't get their passwords.)
_______________________________________________
New York PHP SIG: Joomla! Mailing List
http:/
/lists.nyphp.org/mailman/listinfo/joomla
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://ww
w.nyphp.org/show_participation.php
|
