Web-application: Two element login

I'm developing web-applic开发者_运维技巧ation that needs very high security - one of requirements is you'll need password and second factor to gain access - for eg. token, fingerprint scanner, magnetic card etc.

My question is: Is there any resonable way for webbrowser to access data from devices like card reader or finger print scanner and send it during login proccess? Java applet, browser plugin? Something else? Or token is only option?

EDIT: I've found something about two-way certificate auth where client and server exchanges thier certificates - it seems it's possible for client certificate to be secured with smart card, so user has to put it in reader during login process. Maybe someone knows something more about it?

For a web application I would suggest using mobile phones. When a user tries to log in he/she gets a text message that he has to enter in addition to his password.

There are numerous service providers that offer sending text messages via simple REST API's for an affordable fee. When security is a big concern that extra cost should not be a big issue.

I'm afraid to interact with external hardware you are stuck with writing a native browser plugin or ActiveX control (in the case of IE). However, some magnetic card readers will actually behave like a keyboard (i.e. they will "type" out the data they read from the card followed by some sort of control character like \n) - so with some focus() trickery, you could conceivably capture the input of the reader without using anything but pure JS.

I have a few suggestions:

• Do like some banks does, give the client a file with info needed to get in. Then encrypt the file and check the the hash of it. (maybe both sha1 and md5?) Your only concern here would be theft of the file.
• Get inspiration from steam, send verification email whenever a user logs on from a new computer (and/or browser and/or ip maybe?)
• Also, you could give the user a list of predefined keys, (via. mail, e-mail or in person) then whenever a user needs to log on, ask for a random key, and when it's used discard of it in the system. Downside is you'd have to hand out a new list when they get used up. (I've seen systems like this work very well before.)

Hope any of this is any inspiration.

One thing you might consider is implementing something akin to Blizzard's Authenticator for World of Warcraft. It's an 8-digit code that changes every 60 seconds and is tied to a specific serial number. You'd store the serial with the user account record and compute the expected code based on that and the current time. It's a system that's stood against a veritable armada of highly-motivated hackers, so at least it's reasonably secure.

The main benefit is that you don't have to directly interface with the hardware and the user can authenticate from anywhere. The downside is that you don't have the same feeling of safety as with checking physical hardware.