[OWASP-ESAPI] IAuthenticator
Jim Manico
jim at manico.net
Tue Jan 1 02:58:24 EST 2008
Jeff,
The IAuthenticator interface looks solid for username/password
implementations, but what did you have in mind to support multi-factor
authentication?
Perhaps in addition to:
IUser createUser(String accountName, String password1, String password2)
throws AuthenticationException;
We could add
IUser createUser(String accountName, String password1, String password2,
Map questionAnswerMap) throws AuthenticationException;
As well as supporting this at the user level (storing question plaintext
+ storing answer hashed?)
?
On a similar note - I assume you expect the caller of createUser
function to hash the password before hitting it. Perhaps with a little
inheritance we could force that - or at least add a little Javadoc at
the top of interface's function to explain to the novice security
programmer the intention?
* Warning, do not call this function with plaintext passwords!
*
* @param password1
* the hashed version password via hashPassword(String
password, String accountName)
* @param password2
* copy of the hashed password via hashPassword(String
password, String accountName)
Best,
Jim
More information about the OWASP-ESAPI
mailing list