Two factor authentication mechanism [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.

Closed 7 years ago.

Improve this question

I have tried to imitate a similar system to RBS UK website. I have actually increased the security for an experiment. So I have used an staff ID and captcha mechanism on the entry page and once the user enters the correct Staff ID and Captcha, Username and password will be requested. So i want to k开发者_如何学Pythonnow in a security point of view .. having Staff ID there along with Captcha does it have any point ? or the explanation is simple as one more thing to identify the user. Let me know your opinion.

Confused ? .Its okie then. thank you anyways

---

This is not two factor authentication because you only have one factor - something the person "knows". What you don't have is something the person "has" (such as an RSA token or mobile phone), or something the person "is" (such as a biometric fingerprint or iris scanner).

What you do have is a usability nightmare; staff ID + CAPTCHA + username + password. Unless there's something super-sensitive you're protecting (in which case you want to look at genuine two factor auth), you're better off implementing a strong username and password scheme to begin with.

---

If your security really mandates two-factor authentication, you should obviously a) Do it correctly b) Use an existing vendor's security token offering.

Of course historically secureID has been the main vendor, its tokens generally display continually changing time-based pseudo-random numbers. However, other are available and its security has been publicly criticised.

But you can't do any of this without a clear strategy and architecture in place. You can't insist on two-factor authenticaton for your users without operations or support staff requiring it as well, which probably involves some infrastructure changes, and your operations engineers buying into it.