One-time password (OTP) based two-factor authentication solutions are commonly used to secure VPNs, web sites, and online transactions. They are much more secure than authentication methods based on static passwords. In fact, the US government mandates that all online banking services must adopt two-factor authentication by the end of 2006. However, existing OTP systems are expensive to implement for mass market online services for two reasons: first, a security token device, which generates OTPs, must be distributed to the user and properly managed; second, the authentication software is expensive and integration with existing Java EE web sites is not trivial. Recent advances in open source security solutions in both Java EE and Java ME allow us to develop cheap two-factor authentication solutions for the mass market.
In this hands-on session, we will discuss how to integrate a stack of open source tools and frameworks to enable end-to-end two-factor authentication for Java EE servers. Any user with a Java ME mobile phone will be able to use the service. Open source tools covered in this talk include: Apache Directory Server (a pure Java directory server with Kerberos authentication service support, see
http://directory.apache.org/), Haukey (the J2ME OTP generator for mobile phones, see
http://hauskeys.safehaus.org/), and Triplesec (server side OTP generator, the management interface and application server integration kits, see
http://triplesec.safehaus.org/). At the end of the session, you will be able to add two-factor authentication services to better protect your web site users (and yourself) for free.