I've implemented RSA SecurID authentication in a CF site before. It is rather straight forward from a CF coding standpoint. I think this is expensive because they have the technology patented. Two-factor authentication definitely helps lock down sensitive information for companies that can afford it.
Logging all actions and looking for suspicious patterns in the logs is one of the best ways of spotting bad behavior, and it is also easy to implement. Screening out all non-US IP addresses at the firewall level will eliminate the majority of hack attempts. Have rules in place that prevent people from entering obvious passwords and make people change passwords periodically. Prevent users from entering any password that is found on a common password list (MySpace user passwords are the source of most of these lists). Slow down the login form exponentially for every failed login to prevent people from performing dictionary attacks or lock people out after too many failed logins. In my experience locking out a legitimate user makes them mad, so use with caution or put an automatic timeout on the lockout. Check out the recording of the cfmeetup from last week, which was all about security. If you are looking for a good model on how to store logins and password securely, the authentication system that is a standard part of ASP.NET 2.0+ is good. ASP.NET creates the entire database structure for you, which includes support for password salts, locking out users, etc. Some common security techniques you see used by major Web sites are overkill if this is a private intranet site with no public exposure. I hope you realize there are entire books, big ones, written on this subject and some people do this type of security work exclusively. Some good books on Web security have chapters devoted to ColdFusion. -Mike Chabot On Wed, Jan 14, 2009 at 8:33 PM, Doug Smidt <[email protected]> wrote: > The small company I work for has been discussing different options to beef up > our authentication. Currently, we're just an old fashioned enter > username/password, check user table, login if credentials match system. > We've been exploring options, but I was curious as to what other companies > are up to these days. I'm looking to see what has worked, what hasn't, what > was inexpensive but effective, expensive but awesome, and anything in between. > > We're also considering two-factor authentication, most likely using RSA > SecurID (key fob). If anyone has any experience with implementation of this > (CF or otherwise), I'd love to hear anything you could tell me about your > experience. > > I realize it's a broad topic, so if anyone has a question that might lead me > to getting better info, please don't hesitate to ask. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317973 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
