How to authenticate people ... and make sure of identity.(500 Points)

Hi Gentls,
I need your help...I have a portal and many people will login to it. I allow some range of IPs..the problem now if my customer try to login from a public area outside the allowed IP ranges..
how to allow them to loin and on the same time making sure that the users will not share same account or give to their friends.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The best options for VPN authentication is a 2 factor solution.   Meaning that the end-user must produce 2 items in order to get authenticated.    

Usually this is "Something they have and Something they know".  

An example 2 factor setup could use an RSA SecureID solution.   The Secure ID is a device that created a new 6 digit number every 60 seconds.   The end user must provide the current 6 digit number (something they have) along with a password (something they know).    

This eliminates using IP ranges as a method to authenticate which IMHO is not secure at all.    

You could also use a mix of Passwords, certificates, Secure Desktop registry checks....    just off the top of my head.

Here's some reading to get you started:
besmile4everAuthor Commented:
U mean giving the persone who will log from out of the IP him a usernam/passwd with a RSA access?
besmile4everAuthor Commented:
for example, I would like to know how the international encyclopedia online libraries are working for private access or people?
as I know they will allow based IP ranges and also allow personeel access?
can I know how they are implement it?
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Well, I have no idea what that company does for security.    But whatever the details might be, most companies follow the same theory and standards.    How you implement those standards is up to you, your company, and your budget.  

Having the source IP as the only method of authenticating a vpn is not a good idea IMHO.
besmile4everAuthor Commented:
any other comments ls?
Just remember that:

Financial entities have regulatory requirements to use at least 2 factor authentication and 2 sets of firewalls from 2 vendors on the perimeter.    

Most companies I've seen use an LDAP lookup for ID/PW authentication to VPN.  

There are other options (i.e. certificates) that would also provide more-than-adequate measures.

Using just the ip of a remote machine is extremely insecure IMHO.  Since you are not verifying the person at the other end.  


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Do your users need to be able to access the website via any system?

An option would be to configure username + password authentication, and log the IP address they login from.  Your website could be configured to restrict a maximum number of IP's a user can login from to prevent users from sharing their accounts with other users.

Allowing the users to customise those IP ranges themself in their user profiles would save you some administration effort.
Agreed, two factor authentication and not using the ip address.  

As far as guaranteeing users do not give it out to friends, well, that's pretty hard to do.  But the best is with SecureID keys - the ones that change every 10 seconds.  Another version of two-factor is a certificate plus a password.   The certificate be put on any machine so it doesn't limit you to an ip range.  THe problem is then that the certificate can be distributed anywhere to any machine.

besmile4everAuthor Commented:
Many thnks..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.