Making website log-in more secure

Hi all,

I want to make the log-in process to the secured area of our company website more secure by adding multi-factor authentication (we are currently just using username/pw) Does anyone know of a good system to use?

I have been trying to find a system myself online, but the only reasonable option I found is SafeTok (safetok.com). Does anybody have experience with this system?

I really like about SafeTok that it will be for free for us and our users since it's free to implement and the users do not need to buy expensive tokens for it but can just use any available USB stick or other consumer electronics item (mobile phone, ipod etc.) they already have. However, I wonder how our users will take the introduction of the system. Do you reckon that the users will find the system easy to use and the transition to the multi-factor authentication will go smoothly? Do you think the SafeTok system is a good option? What factors are most important to consider when implementing multi-factor authentication? If you have already integrated multi-factor authentication, what was most important to you and what did you find most troublesome? What system did you choose and why?

[Join us @ facebook]

I don't really find a reason to use such a thing for a website login. There are solutions like ssl which are 100% secure.

Yeah but only if the users are actually vigilant... SSL doesn't really prevent phishing... After all even a phishing website can use SSL...
And then there are key-loggers... And what if users are careless with their passwords? (i.e. write them on post-it notes that the leave on their desk, use them for other services with lower security,...)

[Free WordPress Themes]

Just block the IP address after x un-successful attempts or 5 wrong passwords for one user name.

check the authentication from Google, works great

[Join us @ facebook]

I suppose if someone can sniff an SSL connection (that requires public/private keys) then why it would be impossible to sniff such a device?

I think we are misunderstanding each other.

I am not worried at all about someone breaking SSL or brute-forcing the passwords out. What I am concerned about are social engineering & keylogger type of attacks.

For example:

• The user having troubles remembering the password and writing it on a post-it note. His cleaning lady (or whoever) reading it and getting access to the account
• Phishing - The user receiving an e-mail which seems to come from us, (but has been sent by an attacker) asking him to visit a link. The linked website looks like our webpage and asks the user to enter his username/password data for whatever reason (security checks, renewing account, whatever). If he does so, the data is submitted to an attacker who now has all data to log in
• The user having a key-logger installed that captures the username & password entered when he visits our website and logs-in. The key-logger then submitting the data to the attacker who has all data required to log-in.
• ...

The list of posisble attacks goes on and on.. It's really endless. SSL won't help against phishing, since it only ensures that the data is securely submitted - not that the user submits it to the right webpage. Actually, the phishing page could send the data to the attacker using SSL... Similarly limiting log-in attempts won't help since the attacker knows the correct log-in data.

I just found a link to a page which tells the story of a guy who got phished.
flickr.com/photos/toasty/1276202472/
Think this should help to understand what kind of attacks I want to prevent.

So do you want a system where users click on a combination of numbers to enter a secret 4 digit code? This number would be unique and the keylogger couldn't track it as its only using the mouse.

[Guest]

[44.173]

Yahoo crawler, Googlebot, Msnbot, lassgee, Baidu Spider