Secure remote access and web applications with two-factor authentication

Ticket Control – The Cloud Factor

Administrators always appreciate the ability to harden, for example, administrator login to web applications, blogs, or content management systems by means of a two-factor authentication solution. cloud authentication by Vasco is ideal for this (Figure 5). One advantage of this solution is that the administrator does not need to install and operate any back-end software because it is provided by Vasco in the cloud (see also the "OAuth API" box).

Figure 5: The cloud application enriches web applications with two-factor authentication.

OAuth API provides a standardized interface in the form of the OAuth 2.0 API [20] that supports authenticated access to web applications. OAuth protocol is commonly used in applications where you can log in to a service with the login credentials of another service (e.g., with a Windows LiveID or a Google or Facebook account).

For the implementation of OAuth in your own web applications, Vasco provides extensive online documentation, a "sandbox," and an online demo token [21] on its Developer Portal [22] (Figure 6). To access the Developer Portal, you first need to register with With the access credentials you are given, you can log in to the developer portal. Besides detailed price information and the documentation, the developer portal also contains images, videos, and data sheets for user information that you can download as zipped User Activation Kits.

Figure 6: The online demo token by Vasco lets users test secure login on

The front end is a software OTP token for iOS, Android, or BlackBerry smartphones; alternatively, client software with Java support is available for mobile phones. Furthermore, you can integrate hardware tokens, which Vasco distributes to people at IT fairs.

As the first step, users must register [23] and install the free software token via the respective app stores. The Java client software is transferred to your mobile via a URL download link. For smaller community sites with one URL, up to 100 users, and 1,000 authentication transactions per year,'s "Starter Edition" is completely free of charge. Larger packages start from US$ 3,000 (EUR 2,000) per year, but include 500 users and 10,000 authentication operations (Premium), or 10,000 users and 250,000 authentication operations (Executive) per year.

Hardening Drupal with Mydigipass

The Mydigipass module can also be used to harden the popular Drupal CMS by adding the Mydigipass login API (Figure 7). The following guide explains the installation and configuration based on Drupal 6.27. The main requirement is that the web server can reach the web service with an outbound HTTPS connection. If the web server resides behind a firewall, you need to open port 443/TCP on the web server for the domain.

Figure 7: Configuring the Mydigipass plugin is simple using the Drupal module configurator. A special mode allows you to test the setup without immediately being locked out of the CMS.

In our lab, the plugin only worked correctly with "Clean URLs" enabled in Drupal. Clean URLs creates legible URLs without special characters. The Drupal admin can enable them by clicking Administer | Clean URLs | Enabled . Because the web server must also support this feature, the administrator must enable the rewrite module on the Apache web server.

To begin, download the tarball with the plugin [24] and unpack it in the sites/all/modules/mydigipass directory of your Drupal installation (e.g., /var/www/drupal/sites/all/modules/mydigipass). Next, register for a developer account below, then log in and go to the Sandbox section. From there, click Connect a test site and type an identifier and a display name for your site; they can be identical.

As the Redirect uri , enter http://<Your-Domain>/mydigipass/callback . After creating your site, your client_id and client_secret are displayed on the portal site. Enter these values in the appropriate fields of the Mydigipass module in Drupal (Administer | MYDIGIPASS.COM ). Press the radio button for Sandbox | developer in Environment and enable integration.

Mixed-Mode Testing

For your first tests, you will want to enable Mixed mode to be on the safe side. Then, you can continue to log in to your Drupal installation with your username and password if something goes awry with your integration attempt. In the course of the module configuration, you can customize the various button styles for the login button and create data fields for your user accounts, if desired.

Finally, you must connect your Drupal user account with the user registered at Mydigipass. To do so, select My Account | Edit in Drupal and press the Connect with MYDIGIPASS.COM button. If everything works out, Drupal reports The user has been successfully linked to MYDIGIPASS.COM , and you can log in to Drupal via Mydigipass. Before you can log in to Drupal via Mydigipass for the first time, however, you must first log out of the developer portal and Drupal and close the browser to clear the session cookies. See also the "Mydigipass Reservations" box.

Mydigipass Reservations

On GitHub [25], Vasco provides some plugins for popular blog and content management systems, including WordPress, Drupal, and Magento, as free downloads. Unfortunately, none of the plugins are up to date with the respective web applications. For example, the WordPress plugin is only compatible up to version 3.3.2 – although the current WordPress version is 3.5.1. Seeing that WordPress admins are always forced to update their applications because of a continued spate of new vulnerabilities, the use of the WordPress plugin is not currently recommended. Vasco needs to take action here urgently and ensure that the plugins match the latest versions. More plugins for other popular systems like Joomla and Typo3 would be desirable as well.

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=