Solved

user aurhentication and web security

Posted on 2011-09-20
12
463 Views
Last Modified: 2013-11-18
I'm a newbie as far user web authentication and web/internet security areas but my question could either easy or difficult.
So here is it..
I'm developing a registration formthat I'm planning to put on the web . My question is..
How would I be sure that who is login to the site is the right person who claim he is. What authentication structure need to place. In short,for example, if you are login in to your bank under the name 'John Doe',how does the bank know you are John Doe for sure and the name you claim you are.What methods are use to achieve this.
0
Comment
Question by:zachvaldez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
12 Comments
 
LVL 16

Expert Comment

by:disrupt
ID: 36570770
Take a look at this to get started you can edit your web.config like so:

http://msdn.microsoft.com/en-us/library/xdt4thhy.aspx

This sort of authentication is called forms authentication.

you can get whoever is logged in by:

Page.User.Identity.Name


0
 

Author Comment

by:zachvaldez
ID: 36571460
Is forms authentication the best way to go . What are pros and cons?
Why would I take this route? What other alternatives there are for web security and authentication ?
0
 
LVL 16

Expert Comment

by:disrupt
ID: 36571593
Take a loom at this article

http://msdn.microsoft.com/en-us/library/aa291347(v=vs.71).aspx

Gives you pros and cons of each
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 

Author Comment

by:zachvaldez
ID: 36573845
Can you provide more info on forms authentication because that may be the only applicable
authentication available?
0
 
LVL 16

Accepted Solution

by:
disrupt earned 500 total points
ID: 36574068
0
 

Author Comment

by:zachvaldez
ID: 36574335
I started reading on link I Google but it is ASP.net2.0 and I'm using 4.0 framework
0
 

Author Comment

by:zachvaldez
ID: 36574567
A lot of reading yet to do and lots of assumptions and possibilities to cover..question is..
If someone got my '-password and id,can that be used to login from another Pc? Since the cookies are not in that PC, I assume,he can't get In
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 36576961
You might want to re-phrase your question.
Leaving Biometrics aside, web app does not recognize John Doe, it can recognize only the credentials entered by the user i.e. username and password.

If somebody get's your usename+password, web authentication will allow to login.

FormsAuthentication hasn't changed between 2.0 / 4.0 and neither Asp.NET Membership/Roles Providers. So the older tutorials still stand valid.

Several banks have added an additional layer of security to login e.g.
1:  Secret Question - which you need to answer after you enter username/password
2:  If the website detects you are trying to logging in using different computer, they send you passcode to email or phone on their file. You need to verify this before it allows you to enter the website.
3: Number Matrix: Bank provides you with a card with 4x4 matrix of numbers. When you enter valid username/password, the system shows you e.g. 4x4 matrix with few empty boxes. You are supposed to fill in the boxes using you the card you got.

Hope this helps.
0
 

Author Comment

by:zachvaldez
ID: 36577281
The secret question or Identity image that is displayed to confirm identity,it stored in the database or client cookies?


 
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 36577549
Database
0
 

Author Comment

by:zachvaldez
ID: 36577678
Is that code for secret question in the login page? How about when the user login from a different computer and an email is generated and send to reenter log in details,pw and email address some kind to prove identity
0
 
LVL 41

Expert Comment

by:guru_sami
ID: 36583778
-->Is that code for secret question in the login page?
I would do it in a separate page because say user is trying to login from a login box in master page. But again it depends on your overall design and logic.

-->How about when the user login from a different computer and an email is generated and send to reenter log in details,pw and email address some kind to prove identity

I don't think if it is a good idea to ask user to enter the username+password again.
Whatever you do, make sure you make it clear to user why they are required this second layer of security.
0

Featured Post

Increase your protection from Zero Day threats!

Running two Antivirus' is never a good idea.
Taking advantage of Multiple Security layers on the other hand can often save your hide.
See which top notch security software brands have been proven to happily coexist together.
Reduce your chances of becoming a statistic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question