Re: Multi-factor login authentication schemes inlcuding password recovery

[Saqib.N.Ali () seagate com]

Use Captcha ( http://en.wikipedia.org/wiki/Captcha ) for both the login 
page and the password recovery page. This will deter any automated 
brute-force attacks. I have found captcha technique to be very useful in 
preventing brute force attacks.

Thanks.
Saqib Ali
http://validate.sf.net

steve wright <steviewr1ght () yahoo com> wrote on 10/07/2004 02:45:04 PM:

> Hello!
>
> I need to design a web application that incorporates a
> layered password login page since I can not use
> client-side certificates etc for this project - but
> need to beef up the usual password/username scheme.
>
> Are there are good whitepapers that describes such as
> a web application scheme, including the registration
> process, where the user would need to provide a
> passphrase, to be used as a shared secret in the
> authentication process. To compliment this a secure
> password recovery process is also needed. Something
> along the lines of what many internet banks do these
> days  with username  and password then reirection to a
> new page with 3 random  characters from your
> passphrase, plus a secure "forgot your password"
> process to go with it.
>
> Any pointers to resources which details such a scheme
> with some nice process flows would be highly
> appreciated...
>
> What I have found so far on the net described some of
> the above in a fragmented and incomplete manner. I
> have yet to find a comprehensive guide/whitepaper that
> does a good job of covering all aspects including
> mapping out the required processes...
>
> - SW
>
>
>
> _______________________________
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> http://vote.yahoo.com