|
Posted by Colin McKinnon on 11/22/05 00:28
Gordon Burditt wrote:
>>Thoughts include:
>>1--create a different certificate (like SSL or Apache generated cert) for
>>each new company then log them in based on that. Refuse all users except
>>those that have a cert.
>
> This causes a massive effort to distribute the cert within each
<snip>
>
>>2--somehow integrate with company network login system
>
> This means that a dictionary attack against your site can get
<snip>
Not necessarily, although it's far from a trivial prospect.
>>3--check users' referrer domain to verify company - easily spoofed?
>
So no authentication then?
>
>>Other ideas?
>
> Is it feasable to determine company by IP netblock (which the company
> would have to give you)? This may lock out work-from-home users.
>
Host based authentication is so not the way to go.
You could do a lot worse than the username/password combo. Supplying a
single username/password for a whole company is likely to be a lot safer
and simpler - but you really should provide a mechanism for them to set up
and manage accounts themselves on a per-user basis.
If you trust these people and they really know what they're about you could
ask them to set up the login on their servers which then passes an agreed
token - say blowfish(username . timestamp, agreed_site_key) but if they
can't do that there's not much point in asking them to jump through hoops
building a VPN.
HTH
C.
Navigation:
[Reply to this message]
|