• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 94
  • Last Modified:

Allow user to login to my account on a website without knowing password from a computer that I control.

Hi.

Windows 10 Pro /  Firefox
I have several users who need access to a website which requires login credentials.

They need access to the website (my account), but  I would to restrict that access to one computer which I control.

So, I would am looking for an app or other solution where the user could access the website, but never know the username/password    (or obfuscate the password at least).

Any ideas?

PS.. I have some skills in Microsoft Access VBA.

Thank you.
0
peispud
Asked:
peispud
  • 6
  • 4
  • 2
  • +2
1 Solution
 
btanExec ConsultantCommented:
Worthy to check out and leverage on service to provide Passwordless Authentication with a one-time code via email on your Web Apps
https://auth0.com/docs/connections/passwordless/regular-web-app-email-code

To go simple, I am thinking of generating disposable passwords for such access  - they request for one and it is being send to them. The username can be a guest but the login will only be valid for that entry till it expired or being used by someone already. See some implementation https://onetimesecret.com/about

Just for info, there are also online site that can get the login credential - http://bugmenot.com/ (somebody else created and shared for public access)
1
 
John TsioumprisSoftware & Systems EngineerCommented:
well you can build an html that handles this for you..

<html> <head> <script type="text/javascript"> function OWA_AutoLogin (strServer, strDomain, strUsername, strPassword) { var strUrl = "https://" + strServer + "/exchweb/bin/auth/owaauth.dll"; var strExchange = {destination:'https://' + strServer + '/exchange',flags:'0',forcedownlevel:'0', trusted:'0',isutf8:'1',username:strDomain + '\\' + strUsername,password:strPassword}; var myForm = document.createElement("form"); myForm.method="post" ; myForm.action = strUrl ; for (var varElement in strExchange) { var myInput = document.createElement("input") ; myInput.setAttribute("name", varElement) ; myInput.setAttribute("value", strExchange[varElement]); myForm.appendChild(myInput) ; } document.body.appendChild(myForm) ; myForm.submit() ; document.body.removeChild(myForm) ; } </script> </head> <!-- To identify your server name login to the Outlook Web Access manually and once you reach the inbox the server name will be the section marked as **** in https://********.com/exchange/ --> <body onload="OWA_AutoLogin('servername','domain','username','password')"> </body> </html>

This maybe seems a bit unrelated but its the same ...too bad i can't copy the URL because i am on my smartphone...if you want you can wrap it and produce an exe so none gets the password(better to create a power user that has a lot of permissions but not all)
0
 
peispudAuthor Commented:
Thanks all for your reply.

I have a question for John Tsioumpris

You said
1)   you can build an html that handles this for you..
2)  if you want you can wrap it and produce an exe so none gets the password


If I do this and they transport the exe to another computer,  will it work?    I would want it to not work.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
John TsioumprisSoftware & Systems EngineerCommented:
Hmm...it gets a bit more complex...the easy way would in the wrapper to check a variable like ComputerName...or harder like the  HDDs serial No's..
0
 
peispudAuthor Commented:
that is no problem.  There are many ways to get some proof that the computer is the correct one  (I could create / hide a file somewhere and have the app check for it's existence.)     That's plenty of security for my purposes.
0
 
Blue Street TechLast KnightCommented:
Hi peispud,

If you want an already built/supported solution, Dashlane (https://dashlane.com) will do this. Just create a Group and share the password with Limited Rights and it will log them in automatically, plus you can change the credentials and they will always be able to get in without updating or any knowledge of the credentials themselves.

With Limited Rights: The recipient(s) can solely use this item. They cannot view, edit, share, or edit the permission settings of other users who were shared this item. Terminate the user/s whenever you need to and that will immediately remove their access.

REF: https://support.dashlane.com/hc/en-us/articles/115003810045-How-to-manage-shared-items-within-groups

Let me know if you have any questions!
0
 
peispudAuthor Commented:
Thank you for your reply Blue Street Tech.

It sounds promising.

Can Dashlane be configured so that it will only grant access from the one computer that I specify?

I want the website to be accessed only from that computer.  Not at home etc.
0
 
Blue Street TechLast KnightCommented:
Not by default... it's a cloud based architecture, but it has an offline mode so while you could block it from accessing the internet on that compute, a user with access and know-how could install it on system at home or another computer, in which case you'd be notified but it's not a solid solution for that specific need.

You may want to look at something more localized if that is your concern. You could use a localized credential manager like Keepass but the clear issue in all of these scenarios is if the website doesn't have ACLs for delegates or admin/multi-user architecture then any user you grant access to, even if they don't know the credentials, would have the ability to lock you out!
0
 
peispudAuthor Commented:
I'm thinking about writing something in VB.Net.

I only need this for one web site login.    The VB.Net solution would check that it is located on the correct computer.  Lots of ways to do that.


Then,  I will find out how to automate the login.    More research I guess.
0
 
Sharon NowligeKeyboard NinjaCommented:
You could use a powershell wrapper to call an API using the users credentials... a sort of invisible SSO request.  

Joshua Moses is an INFOSEC/IAM guru that could point you in the right direction.  He did something very similar for a friend of mine.
0
 
Blue Street TechLast KnightCommented:
Are you not concerned with the account security? Meaning can these users do anything to the account to compromise it (e.g. lock you out or otherwise) intentionally or unintentionally?

Your main problem appears to be an issue with the website architecture (server-side) and no client-side solution will ever be adequate in that case (provided the above is a valid concern) except to create separate accounts for everyone but then. You ultimately loose management controls in any scenario.

If you have access to the web server then this changes everything but it doesn't appear that you do from what you have stated. Please correct me if I'm wrong!
0
 
peispudAuthor Commented:
I am  very much concerned about account security.  The website login credentials that I automate will only allow limited (associate) level access to the account.   I will  hold my  "owner" credentials very secret (not automated).  The website is a cloud based Point of Sale website.

I don't feel good about the possibility of employees sharing passwords (even for associate level access).  
So I prefer to have a high entropy password,  inaccessible to nobody except myself and the machine that it is supposed to run on.

There is a security system camera recording to the cloud on a 60 day loop focused on the computer terminal.  So, as you see, I want the website accessible only from that one computer.  I am ok with any staff using the POS then because all activity is recorded and timestamped on the security system camera.

If I have gotten something wrong here, I am open to suggestions.
0
 
btanExec ConsultantCommented:
To restrict to certain policy, likely you need to have a VPN tunnel with endpoint check prior to granting access.

But I thought a simpler means is that you whitelist a public ip belonging to that machine to access through the cloud proxy before reaching your server. Even then that required a dedicated ip and likely through a broadband dongle issued.
0
 
peispudAuthor Commented:
Thank you everyone for you help.
0
 
Blue Street TechLast KnightCommented:
Still unclear as why it matters if the users know their credentials since you now said they have their own limited accounts. Previously it seemed that you were giving them your access to your account. Nor is it clear why you want to restrict them to one computer that has a camera on it. A camera is limiting and can only capture so much unless you have two cameras; one positioned right over their shoulder and the other one positioned to capture their faces.

In any case if you want that much focus on monitoring and controlling behavior here are a few options not previously mentioned:
Monitor & record all their actions from the computer's perspective via something like Veriator 360: https://www.veriato.com/products/veriato-360-employee-monitoring-software
• Look into possibly restricting IP access to your location explicitly from the web server and/or the POS application itself - depending on the software many applications can restrict access based on IP.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

  • 6
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now