Hi, i'm newbie here, not sure if this is the right place to post my question.  :)

I need to implement 2 factor authentication for my Windows logon and would like to know if a GINA STUB can fulfill my requirement or do I need to write the entire GINA DLL? I read there are risks in implementing the whole GINA so I will like to avoid that.

The flow:

1. Initial Authentication:
The user enters the username and password on the logon screen, the logon credentials are then used to authenticate against a remote authentication server.

--------------------------------------------------------------------------
"Please enter your Username and domain password"

USERNAME: [ ]
PASSWORD: [ ]
--------------------------------------------------------------------------

Alternatively, the credentials can also be used to logon to Windows or AD (as in the usual process), but I should be able to intercept and prevent the user from actually logging in whether or not the credentials have been successfully authenticated - this is because another set of logon credentials (2nd factor) must be submitted before finally allowing access.

2. 2nd Factor:
If the first authentication fails, the user is presented with the failure message returned by the remote authentication server, and the first logon screen is presented again.

On success, an OTP or one-time-pass-word will be sent to the user, and the user is then presented with another logon screen which looks like the following. The user enters the username and OTP.

--------------------------------------------------------------------------
"Please enter the OTP which you have received"

USERNAME: [ ]
OTP: [ ]
--------------------------------------------------------------------------

The logon credentials will then be submitted to the authentication server again. If the OTP is correct, the user will be allowed to logon to the machine for real and i should be able to log this event.

If OTP authentication fails, the user is presented with the failure message returned by the remote authentication server, and the following logon screen is presented:

--------------------------------------------------------------------------
"Sorry, you have enter the wrong OTP, please enter the OTP again or enter your domain password to generate another OTP"

USERNAME: [ ]
OTP/PASSWORD: [ ]
--------------------------------------------------------------------------


Note: Yes, I know that Windows 2008 and Vista uses a the new CP method, but I'll need to implement GINA for Windows 2003 Servers. I thought I'll implement CP after that, hopefully I can reuse as much of the code as possible.


Any suggestions you be much appreciated.
Posted on 2010-03-16 03:47:21 by joshua__lim