RSA based authtencation

Robert · March 12, 2010, 7:57pm

Any plans for this?

Carl.Gould · March 13, 2010, 12:37am

No plans for this, but I’ll consider this a vote for such a feature. How would you like it to work? I’m not all that familiar with RSA authentication…

nathan · March 13, 2010, 2:50am

Authentication does use the RSA encryption algorithm, among other things. Are you referring to RSA SecurID dongle type devices that generate random numbers every so often?

Robert · March 15, 2010, 5:18pm

Yes, I think Nathan has it.

Where an organization has a RSA server and the users get a key fob that generates a new key every minute. To log in a user has to have a login id, password/pin, and the key from the key fob.

Carl.Gould · March 15, 2010, 6:54pm

Yes, that is also what I assumed you meant (the dongles).

dmoon · November 15, 2012, 5:23pm

I would like to see this, too. Our inspectors would love to see this level of security and have that added trust when going through the audit records and compliance data.

(Ref: PMO and 21CFR 11)

I had several long talks with Rockwell and RSA and there’s little hope of a nice integration between their SCADA packages and this style of 2-factor authentication. Because Ignition is Java-based, it should be straightforward integration- RSA has really well-done and well-documented APIs available.

Carl.Gould · November 15, 2012, 7:55pm

Some good news: some of the work that we just completed on 7.6 will help lay the foundation for multifactor authentication! RSA might be a good target for 7.7, although I can’t promise anything.

DennisWomack · November 15, 2012, 9:37pm

You might want to take a look at Phone Factor.

phonefactor.com

At login or credential check, your cell phone is called. The phone factor voice says this is Phone Factor. Press * star to continue.

It can be set to rollover to another number if the first does not answer.

We used to use the RSA tokens but dropped them in favor of Phone Factor.

They were just bought by Microsoft.

From the web site…

PhoneFactor offers enterprise grade security Free for up to 25 users and up to 500 authentications a month. There is no cost for authentications to the US and a number of other locales worldwide (see details). Upgrade at any time to secure additional users or take advantage of advanced features.

PhoneFactor Direct SDK
Download easy web plug-ins to integrate PhoneFactor with your existing website or online transaction system.

•ASP.NET C#
•ASP.NET VB
•Java
•Perl
•Ruby
•PHP

I hope this helps.

Dennis

Carl.Gould · November 15, 2012, 11:45pm

I’ve looked at phone factor a number of times - love it. Will definitely be on our radar when we do multifactor authentication. Things that have been requested:

Phone factor
RSA secureid tokens
Badge swipe / scan to login

DennisWomack · November 16, 2012, 2:58pm

Badge swipe/scan would be desirable here. Everyone is badged.

Carl.Gould · November 16, 2012, 3:28pm

Curious: any ideas how the badge scan/swipe would actually get into our software? What technology would you want to use to hook up an Ignition client log-on screen to a badge scanner?

DennisWomack · November 16, 2012, 4:02pm

Our building security system uses equipment and badges by HID.

The badges have barcode, magnetic stripe, and either RFID or Weigand wire.

The security system associates doors and people. Naturally, there is a database.

These badges could be used in Ignition by having either a similar database in Ignition or linking to security’s database.

The latter has many hurdles to overcome, but the former could be easily done.

I know there are reasonably priced magnetic or barcode scanners out there. We have used some keyboard stuffers that basically insert streams as if from the keyboard.

I hope this helps.

Dennis

Carl.Gould · November 16, 2012, 4:14pm

Yeah the style that acts like a keyboard will obviously be the easiest to support.

Duffanator · November 16, 2012, 10:10pm

We do the same, our security system is all HID readers and badges but we’ve used these readers for our point-of-sale applications and they work nice. They work like a keyboard like Dennis was talking about but you can set them up to strip only specific information out and add a [CR][LF] at the end.

Perhaps you could have a badge entry component or something that you could set framing characters for and if it saw the right framing characters and correct number of ASCII characters it would fire a event maybe? Might be a cool feature, though it would all be client side.

Carl.Gould · November 16, 2012, 10:32pm

Yeah that’s the basic idea. I want the login screen itself to be able to be swapped out. So for example maybe that one would just say “Swipe badge” and would capture the keyboard input like you said: looking for certain framing characters.

nathan · November 16, 2012, 11:03pm

We use smart cards to log on to a Windows Domain. Web sites can support a similar authentication scheme. The card stores your digital certificates and validates your PIN via an onboard processor. USB readers cost about $15, with keyboards and laptops available that integrate the functionality. I believe this could be a viable option for Ignition to support.

I’m not sure about integrating RFID access cards. I have dealt with several systems, all of which I believe are proprietary. In each case, a programming terminal PC runs custom software and uses a connected device as the interface, then downloads to a hardware controller. As a user you scan your badge, then your credentials are downloaded (fast red/green flash), you enter your PIN and are granted access or not. A central database tracks your: rights, PIN, and history. Doors or turnstiles can be programmed for badge swipe only or swipe+PIN. I am not aware of simple/economic ways to connect sensors to PCs or standards that would simplify the integration of these systems with Ignition. It might be possible, though…

DennisWomack · November 19, 2012, 2:23pm

Regarding the HID USB reader, CDW has this:

This product was discontinued as of Wednesday, October 31, 2012. Call for availability

edit:

Looking a little further, there is a PCProx Plus by RFIDeas that would replace it. You can have USB, Serial, or Ehternet.

Dennis

rfbuehler · November 19, 2012, 10:43pm

This topic is very timely.

I have a customer that I implemented there HID card’s for authenticating into iFix.

I am quoting a job that would require using these same cards to login to Ignition.

Basically its as simple as adding the card’s ID into the user/pass table.

Then modifying the login screen / activations screen (when the screen times out) to do a lookup from the user/pass table and then pass the credentials to the system.

Simple is a short word for “Is there and API within Ignition that will allow one to do this” or is there any documentation that will allow a person to write there own login screen that can capture the HID card’s ID and execute a call that will authenticate them into Ignition.

Carl.Gould · November 20, 2012, 4:25pm

yeah… not so simple. The login screen isn’t replaceable through the API (yet). That’s what we’re looking into doing.

In the meantime what people have done (successfully) is to have the project auto-logon with a user that has no privileges, and then have the startup screen be your own login screen, that does your own authentication logic, and then calls system.security.switchUser

Greg.Buehler · December 7, 2012, 4:15pm

Can we get a timeline or ballpark release for extending the Login screen and authentication methods with modules?