Before we go into details, let me explain what two-factor authentication means. I am pretty sure all of you have used ATM card. In order to complete the transaction you need to have an ATM card (what to have) and also you must enter a valid PIN (what you know). Here you combined two factors, “what you have” and “what you know” to securely complete a transaction. It is very difficult for middle man attack in this scenario.
We (http://www.palisha.com) do lot of consulting work with our healthcare clients. Securing patient’s health information is of at most importance for many of them. Yet, you need to exchange information using web applications which are prone for middle man attacks. One way to make sure that only appropriate people are accessing patient’s health information, is to apply two factor authentication. Now it is not an option anymore, it has been mandated. There are several ways to combine two factors to achieve greater security. I am going to describe one of the elegant,simpler and cost effective solution here.
When you register (setup) users in your web application, get a secret code from the user and store it as part of his/her profile.There are well published algorithms (open standards) to create time based passcodes using this secret key. Also,download Google Authenticator mobile application for your smart phone. In that mobile application, setup a profile for this application using the exact secret code.
Now, when it is time for you to login to this web application, in addition to supplying your username and password, you also have to provide the OTP (one time password) generated by the time based algorithm. See the screen shot below.
You can achieve the two-factor authentication using certificates also. But, I liked this solution mainly for its simplicity (yet very secure). Also, it costs you nothing.
To make the end user experience better, when we register (or create) a new application user for our web application, we generate a QR code. User can scan this using their mobile application (Google authenticator) and it will automatically create a profile this web application (so that end user need not type in their secret code information, application name etc. to create this profile).
Only challenge in this solution is the synching of clocks (time). Since most of the smart phones, computers all sync their clock to internet time, it is not a very big challenge. In addition the published time based algorithms allows you to check the adjacent time windows (you can specify the window size). You don’t want to increase the window to be too wide as it will reduce the security factor.