digg

Facebook Connect Join Digg About

Dynamic IP locking: A Poor Mans Multi-factor Authentication

ny-dev.com Dynamic IP locking. Which is simply the concept of only allowing login if the user's ip (something they have) matches the one on record.

Who dugg this?

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

1 Comments

show profanity settings
expand all
  • MagicalFzyBunny, on 10/12/2007, -0/+0http://www.ny-dev.com/forums/showthread.php?t=1263
    Dynamic IP locking: A poor mans multi-factor Authentication

    As some people know financial institutions have to implement Multi-factor authentication. FIL-103-2005

    "What is Multi-Factor?
    The authentication factors for humans are generally classified into three cases:

    * Something the user is (e.g., fingerprint or retinal pattern, DNA sequence (there are assorted definitions of what is

    sufficient), voice pattern (again several definitions), signature recognition, unique bio-electric signals produced by the

    living body, or other biometric identifier)
    * Something the user has (e.g., ID card, security token, software token or cell phone)
    * Something the user knows (e.g., a password, a pass phrase or a personal identification number (PIN))"-wikipedia

    So what if you want to implement multi-factor authentication for your simple website and not have to pay for commercial solutions? One that is as easy to use as CAPTCHA that recently sites have implemented.

    I present Dynamic IP locking. Which is simply the concept of only allowing login if the user's ip (something they have) matches the one on record.

    In the security world there has always been the practice to deny hosts unless they were of a certain IP. However, the problem is that now days on the internet hosts need to access systems and their ips are not fixed. The idea is to put into place a logon system that adds a level of security but by no means is a cure-all. IPs can still be forged just like we use MAC to deny hosts even though they can be spoofed. Your login protocol still checks for a user id and a password while looking if the ip that they signed up with matches the one signing on. So a normal fixed IP person would use their IP. However, a dynamic ip user would enter Whatever.dyndns.com or whaetver.com. The server then would look up the ip of this sub domain and see if it matches the host. The host would be running with in the background a client (https://www.dyndns.com/support/clients/) that
    sends their dynamic ip to the trusted third party DNS providers like no-ip.com and etc. Also with the release of Windows Vista all users will be able to be given a ipv6 address with its own sub domain to use from Microsoft called the "Windows Internet Computer Name"-- a unique domain name. This can be treated as a trusted third party. The attackers thus could still forge the address; however he would have to know the sub domain to look up to spoof to the server.

    This Dynamic IP locking would not be the only validation the user would still have to match USER ID, PASSWORD, IP checking.

    However to the user this would not be an extra step once a client was running in the background reporting the ip to a trusted third party.

    One of the main benefits is that current brute forcing software would not have this factor built in for their password cracking attempts. Some might think this would cause problems if a user went to a library and didn't have that Ip allowed to log in. You still can login to your third party and update your Ip to the current place of login. Of course if login in on an untrusted machine you will be exposing yourself. If a third party Dynamic DNS provider was DOSed logins would fail with multiple systems.

    At its simplest form the php code would look like this. Of course in actual implantation you your software would be more complex. A non production example of a login with Dynamic Ip locking is at the bottom.



    It is also best to have this as an option to enable instead of being forced just like AOL users were given the option to use SecureID but not required.


    People could just hack into the site you use for your dynamic dns, but then they would have to know which one you use.

    If wanting to get into say your message board account they would have to know where your dynamic dns is and crack into an additional pair on login password combination.


    The following is example code only and SHOULD NOT be used in production.

    This is a simple form to use to submit to our php script.


    Now we create the mysql entries we will pull. Meow: is user id and password is password. Moo also has the password “password. Zat.isa-ageek.com is the location you want script to look up ip on the hostname.

    #
    # Table structure for table `users90`
    #

    CREATE TABLE `users90` (
    `username` varchar(99) NOT NULL default '',
    `password` varchar(99) NOT NULL default '',
    `ip` varchar(255) NOT NULL default ''
    ) TYPE=MyISAM;

    #
    # Dumping data for table `users90`
    #

    INSERT INTO `users90` VALUES ('meow', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8', 'zat.isa-geek.com');
    INSERT INTO `users90` VALUES ('moo', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8', '127.0.0.1');
    #


  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.