Process security for website

Discussion in 'ASP .Net' started by Simon Harvey, Jul 7, 2004.

  1. Simon Harvey

    Simon Harvey Guest

    Hi all,

    A new project I'm working on requires a high level of security - possibly
    around the same level used by banks as its deling with highly confidential
    medical info.

    I'm thinking about the process of letting users register and get their
    password.

    The current suggestion is that when a user registers an interest, a staff
    member has to authorise that persons entry into the site.
    If the staff member believes this person to be legit, then they user is sent
    an email asking them to come to the site.

    When the user follows the link, they are told that they are about to be sent
    their password (by email) and that it will be valid for 5 mins. The user
    picks up their email, logs in and completes registration.

    Now, that seems to me to be a rather drawn out solution.

    Has anyone else implemented a solution that is ultra secure but also
    relatively simple

    Thanks all

    Simon
    Simon Harvey, Jul 7, 2004
    #1
    1. Advertising

  2. Simon,

    There are some rather big problems with the proposed solution, including the
    following:

    1. If you set the "timeout" on the invitation to be sufficient short that
    it is unlikely that someone will pick the credentials off an SMTP server
    before the user receives the e-mail, you will also have a reasonably high
    likelihood of the target recipient not receiving it in time. This means
    that you should also plan for more "manual" processing, such as allowing the
    new user to phone in for their temporary password. This also incurs risk
    since it can be difficult to validate the identity of a caller.

    2. If a potential attacker learns of the approval process (e.g.: by
    attempting a new registration), an interception trap could be set for any
    messages matching the pattern, allowing the attacker to receive the
    temporary credentials before or instead of the intended recipient. This
    attacker might be, for example, an employee of the ISP via which the e-mails
    are being sent, so setting such a trap may be quite trivial.

    While encrypting the e-mail would be a potential workaround for the above
    problems, a better approach would be to allow the new user to enter their
    desired credentials with the initial request. Then, instead of transmitting
    credentials in the subsequent e-mail, simply send a message indicating
    whether the registration request was approved or denied. Obviously, there
    are still plenty of issues surrounding validation of the requester's
    identity, but I'm guessing that the staff approval might be intended to
    address at least part of that problem.

    HTH,
    Nicole



    "Simon Harvey" <sh856531@microsofts_free_email_service.com> wrote in message
    news:...
    > Hi all,
    >
    > A new project I'm working on requires a high level of security - possibly
    > around the same level used by banks as its deling with highly confidential
    > medical info.
    >
    > I'm thinking about the process of letting users register and get their
    > password.
    >
    > The current suggestion is that when a user registers an interest, a staff
    > member has to authorise that persons entry into the site.
    > If the staff member believes this person to be legit, then they user is
    > sent
    > an email asking them to come to the site.
    >
    > When the user follows the link, they are told that they are about to be
    > sent
    > their password (by email) and that it will be valid for 5 mins. The user
    > picks up their email, logs in and completes registration.
    >
    > Now, that seems to me to be a rather drawn out solution.
    >
    > Has anyone else implemented a solution that is ultra secure but also
    > relatively simple
    >
    > Thanks all
    >
    > Simon
    >
    >
    Nicole Calinoiu, Jul 8, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Flip
    Replies:
    1
    Views:
    434
    Karl Seguin
    Nov 22, 2005
  2. Shawn

    Website on a website.

    Shawn, Jan 15, 2006, in forum: ASP .Net
    Replies:
    3
    Views:
    483
    Shawn
    Jan 15, 2006
  3. sck10
    Replies:
    1
    Views:
    418
    Michael Kolias
    Apr 13, 2006
  4. Adrian Wood

    Update website via website?

    Adrian Wood, Feb 22, 2004, in forum: HTML
    Replies:
    13
    Views:
    701
    Adrian Wood
    Feb 25, 2004
  5. A Leon
    Replies:
    4
    Views:
    484
    A Leon
    Mar 4, 2004
Loading...

Share This Page