RSA Like Password Token for Smartphone
Q: Help me find a way to store encrypted passwords in my database and use a "smart phone" to provide a key to the web desktop interface to decrypt the encrypted password.
Answer Advice
I am hoping your answer will either give me some guidance on how to program this in Cold Fusion or LAMP and/or point me to a vendor that can help me get this done. I am not interested in using expensive solutions like RSA and I have already looked at YubiKey.
Detail
I run a technical support department. When end users call in, our technical support agents can look into a database to find user passwords. I am trying to avoid passing passwords over https, displaying them openly on a agents web browser, and would like to protect the passwords in case the database is hacked.
My idea is to encrypt all the passwords and only decrypt them if someone can provide a secure time sensitive code.
Since everyone has a smartphone in their pocket, I would like to explore ways to put a app in their pocket that ;
1 - user must authenticate against known user/pass database. This way I can control if a user has access to passwords.
2 - once authenticated, app will display a key. Key is only valid for XX seconds. When key is provided, user enters key into our web site and password is decrypted.
Your thoughts?
Answer Advice
I am hoping your answer will either give me some guidance on how to program this in Cold Fusion or LAMP and/or point me to a vendor that can help me get this done. I am not interested in using expensive solutions like RSA and I have already looked at YubiKey.
Detail
I run a technical support department. When end users call in, our technical support agents can look into a database to find user passwords. I am trying to avoid passing passwords over https, displaying them openly on a agents web browser, and would like to protect the passwords in case the database is hacked.
My idea is to encrypt all the passwords and only decrypt them if someone can provide a secure time sensitive code.
Since everyone has a smartphone in their pocket, I would like to explore ways to put a app in their pocket that ;
1 - user must authenticate against known user/pass database. This way I can control if a user has access to passwords.
2 - once authenticated, app will display a key. Key is only valid for XX seconds. When key is provided, user enters key into our web site and password is decrypted.
Your thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Rick Cogley
What did you decide, Michin? As for us, we are using LastPass. It has been a bit buggy, but, it basically seems to work well, once you get around a few idiosyncratic aspects.