NYCPHP Meetup

[bz-gmort at beezifies.com]

Rolan Yang wrote:
 > At the Joomla Day during the security breakout session, the 
discussion drifted towards various methods of login authentication. The 
topic of SecurId was mentioned as being an expensive alternative. I just 
noticed today that Paypal is offering a SecurId keychain fob for $5. It 
would be simple to write a small php authentication function which acted 
as a proxy to paypal, accepting an email, password, and securId code, 
sending a off a https request, parsing the response and returning an 
TRUE or FALSE authenticated result.
 >

As an alternate method of doing security, you could use the SecurID and 
perform a payment process to verify the logon.

IE, someone goes to your website and clicks on a Secure Logon link.

Your site directs them over to make a Paypal "purchase" of 1 cent.

They logon to Paypal, using their userd, password, and secureid 
keychain(if they so desire).

The payment is processed and Paypal returns them to your website.
You verify the payment and grab their paypal account email address to 
verify the account they are logging into.

The downside of this is every logon costs a few cents(the 1 cent fee, 
plus Paypal minimum fees on you).

The upside is that even if your website is completely compromised, the 
only paypal id that is compromised is the one used to accept payments. 
All the other logons occur on Paypal's site so you never capture userids 
or passwords(well, ok, you capture userids since paypal uses the email 
address.  But you won't get their passwords.)