> Matt Puumala wrote: >> >> Greetings! >> >> I am trying to make a two-factor authentication module, built on >> AuthType Basic. (google for Perfect Paper Passwords for the scheme I'm >> using). To make it work, I need to be able to prompt the user to type >> in two passwords sequentially.
my thought is that the two basic authentications would make sense at two separate virtual domains. Firstly, the client would authenticate to http://step1.example.org/step1, after which they would be directed to step2.example.org/step2/XYZABC where XYZABC is a one-time-use, hard-to-guess code generated by step 1 and stored somewhere step2 can see it. step1 and step2 are different domains, the authentication starts all over for step2, the infrastructure has now clue that they are two steps in your process. After passing the test at step2, the paranoia really starts.
