Press "Enter" to skip to content

Month: April 2009

Techy: Token Authentication instead of passwords

I’ve been spending quite a bit of time recently creating a login system (coping with OpenID, Facebook Connect and Microsoft LiveID/Passport) and, of course, the “common and/or garden” email address and password system.

Whilst we do deal with credit card and payment details on the system, it doesn’t need to be “that secure” relating to user authentication (hence we haven’t need to consider proper two-factor logins: where you login with one password and then need to login again using something else). However, recently security snafus (such as the WebHostingTalk database exploit) is making me think that perhaps we should consider offering an alternative to the standard password system.

There are a hardware one-time password tokens out there such as MyPW (which is very similar in looks to the token used by HSBC Bank) and YubiKey (as used by Tom at Nominet) along with Verisign’s VIP Authentication system for iPhones: however, all these OTP (One Time Passwords) systems are designed to be used in conjunction with an existing username and password (i.e. two-factor logins): but has anyone actually implemented a login system which uses the OTP as the SOLE password?

Any pluses/minuses or thoughts about it? Even if you haven’t implemented it, but just think it’s a good or bad idea – please let me know!

News: Well Done Assistant Commissioner Bob Quick

If you’ve been even slightly following the news, you might have read that “Britain’s most senior counter-terrorism officer Assistant Commissioner Bob Quick” made a security blunder on Wednesday the 8th of April by accidentally exposing a “Secret” document to Downing Street photographers (technically a breach of the Official Secrets Act).

However, he has done the honourable thing and actually resigned over the issue stating “I have today offered my resignation in the knowledge that my action could have compromised a major counter-terrorism operation.”. It just makes such a refreshing change for somebody quite high up in the country to take responsibility for their actions: now I just wonder if the G20 officer who hit a bystander with his baton and pushed him to the floor or Jacqui two homes/husband pay-per-movie expenses Smith will resign over costing people their lives and the tax payer over £116,000 for secondary houses [including £568.95 for TWO washing machines and £500 on a shower mixer!].

Snippet: Adding ISOs to XenCenter

Here’s just a reminder incase I forget/lose how to add ISO (DVD/CD images) to Citrix’s/XenSource’s XenCenter/Xen virtualisation software. Do NOT copy (from XenSource 5.0+ above) the ISOs to /opt/xensource/packages/iso as this directory is now reserved for “built-in ISO” images – you’ll need to follow these steps instead:

From Xensource.com:

To use local ISO storage from the control domain
1. Log onto the host console.
2. Create a directory to copy the local ISOs into:
mkdir -p /var/opt/xen/iso_import
3. Create an ISO storage repository by:
xe sr-create name-label=isos type=iso device-config:location=/var/opt/xen/iso_import/ device-config:legacy_mode=true content-type=iso
4. Copy the ISO images into this directory, taking care not to fill up the control domain filesystem.
5. Verify that the ISO image is available for use by xe vdi-list, or checking the CD drop-down box in XenCenter.