I recently came across something called ShieldPass which is a two factor authentication system that you can integrate into your website easily and more importantly cheaply.
You receive a cool little credit size card that has a clear window area with parts of digits displayed. Once you add the code for this system into your website it will present an area on your screen that you place your card and match the numbers up to enter your password.
Presented on the screen of your computer is the following. You then hold your card up to align and enter the code displayed which is alternating. It even works on the Iphone and Ipad.
The Patten looks like this (animated image below):
For $9 you receive one card and includes one year subscription to their authentication system. This has various options like brute force lockouts, IP monitors, domain locking (so only my URL can authenticate against it) and so on. There is an option to have your own authentication server too.
This is a video showing how the card actually works.
The system operates using public and private keys and your login has a one time unique password created.
Sample code is supplied which you can simply copy and paste into your website, or plugins are available for WordPress, Oscommerce, Zen cart etc. This is what attracted to me this as I use WordPress. I can now cheaply and easily setup (took me 2mins without reading any docs) secure my admin panel further on my blog. So I now login as normal, then I am presented with an additional screen where I have to place my ShieldPass card against the screen and enter the one time unique code. I am then authenticated to the admin panel. I believe you can also turn off the normal WordPress auth and just use the Shieldpass, but I haven’t tried that yet.
Due to an earlier article I posted showing just how easy it is to enumerate and brute force WordPress users and passwords, this is a perfect solution. See old post here: http://www.commonexploits.com/?p=291
Backup cards can be supplied for $5 so if one should become lost you can manage the cards via their admin portal. Also you can lock users to regular IP addresses and various options as seen below.
As I work in the security industry I have seen so many E-commerce stores such as Oscommerce be compromised and credit card data extracted that was stored for offline payments. This is no fault of Oscommerce, but more a weak admin credential issue. For small companies who can’t afford massive authentication systems, this is where I see this being a great solution. For $9 you have a solution knowing that only your card (and your existing password) can gain access into the admin panel. Every time you login it is using a unique one time password.
For my blog it doesn’t contain anything really important, but if the admin panel was compromised the data could be changed and defaced. Obviously if this was a business with a store it would be essential to protect the admin panel from hackers.
I have not conducted any security testing on these devices, I am purely sharing the information as I think this does look a pretty good idea and for me it adds a much needed improvement over my existing authentication for my website.
Take a look at the ShieldPass site for more info. www.shieldpass.com