Skip to main content

anonymous-two-factor-authentication-as-a-turing

Posted by: admin 17 years, 1 month ago

You can now add comments to the blog, but you must first prove to me that you are a human by logging in using WiKID Strong Authentication. Interestingly, this is still anonymous, because I am using the Token Client Test domain, which requires no identification to configure (it was set up as a simple way to test the WiKID token clients). So, it is an anonymous two-factor authentication CAPTCHA of sorts.

As with many blogs, this blog has been subject to highly annoying spam attacks. My current blog software doesn't offer moderation. I set up mod_security to stop all the posts with viagra, porn, and other bad words, but it turns out that there are more bad words than I know about, which shows that I clearly didn't mis-spend enough of my youth or that I am too old to know what "retin" is.

I effectively turned off comments by requiring users to login to site, which uses Plone,a most excellent open source CMS. I have also disabled the join function on our site as I didn't want to create a membership site. So, no join, no login, no spam. Now, I allow anonymous users to post comments in plone, but I block access to the comment entry form in Apache using mod_auth_xradius. I could have used the WiKID extranet domain and require a valid email address, but I wanted to allow fully anonymous postings.

So how does the compare to standard CAPTCHAs?

  • It is available free of charge (our open source version)
  • It requires that the user register their token
  • It requires that the user enter the OTP
  • It is anonymous
  • I suspect it may be better for the vision-impaired
  • It limits the scope of potential damage to a specific WiKID domain
What I mean by the last point is that we could offer use of the Token Client Test domain to other websites. Those websites would get a separate WiKID domain allowing their users to prove that they had completed the registration process and thus were humans. (In radius, these transactions would only be encoded, but since it is a one-time password the only information of that can be gleamed is the username.) If an attacker set up a fake WiKID user to send spam, it would only work for websites using that domain, greatly reducing the benefit.

I would also like to be able to process trackbacks using WiKID, but that will require some work. What I envision is that the trackback url would have authentication information appended that Apache would process, such as: http://www.wikidsystems.com/WiKIDBlog/morepointlessblogrambling/trackback?username=nowen&domain=2222222222&otp=123456.

If you have any thoughts, please post a comment! Be sure to sign for an anonymous two-factor authentication account so I know you're human.

Current rating: 1