Has anyone tried to interface a card reader to allow personal to login and logout of the system using an ID badge? I would think it could be done depending on how the card reader database managed the logins.
I’m not sure how you’d get this to work with our existing authentication scheme, which is pretty strongly user/password based.
It would have to be a “false” login. The client would automatically login and show your home-grown login startup screen to handle the input.
We’re using this autologin method against an internal auth profile (failed over from DB auth since we don’t store the autologin user there) to get to a custom login screen where we can do some more secure login processing including some client-side hashing before sending our DB login query.
We are certainly interested in additional customization of the native login screen and designer/gateway login routines to allow higher levels of password security and hashing plus open up options for 2-factor username/password/passcode authentication or even smartcard or cert based authentication methods.
This may or may not be all that helpful, but here’s how I would expect it to work. You first need some kind of directory service - that’s the whole point of a PKI system. In this case it would probably be Active Directory or LDAP (somehow).
For UNCLASSIFIED networks the DoD uses “common access cards”, which as I understand it are just commercial “smart cards”. The card has a unique 10 digit ID number and signed certificates that also contain your info. To grant access to the network, you modify the user object in Active Directory to contain that 10 digit number (I forget where exactly) and enable the account for “smart card logins”. The client computer has to have the proper root certificates installed and middleware for the card reader (we use “Active Client”).
There should be some reasonable simple API call that Ignition would call and expect back an access token. This is the part that I’m not sure about, but it should be reasonable. For example, DoD websites prompt for this. I’ve used it on various versions of Windows and Macs in several browsers. Again, the system is dependent on a lot being set up and done outside the Ignition environment. I can’t imagine it not being supported in Java.
I’m not sure about the exact mechanics of other multi-factor authentic schemes (pre-shared keys, RSA tokens, etc), but they should be similar enough. They all should do some kind of external cryptographic challenge/response that produce an access token for Ignition to use (or just verify permissions). For a strong security environment you would want to use that token to access the database. That’s another matter, though.