What are the best practices for implementing temporary transaction password feature for website?
为网站实施临时交易密码功能的最佳做法是什么?
For e.g in banking/finance scenarios like - While transfering funds from one account to another, a transaction password is required - While commiting a trade, a transaction password is required - etc.
例如,在银行/金融业务中,例如 - 在将资金从一个账户转移到另一个账户时,需要交易密码 - 在进行交易时,需要交易密码等。
The password should be temporary and time based i.e. this password should not work after x minutes has elapsed.
密码应该是临时的和基于时间的,即在x分钟过去之后该密码不起作用。
What algorithm would you recommend? Do you suggest keeping track of used passwords i.e. store used password in some store?
你会推荐什么算法?您是否建议跟踪使用过的密码,即在某些商店中存储使用过的密码?
Some website use a OneTimePassword device. Apart from this please feel to highlight any other strategy you think may be appropriate.
有些网站使用OneTimePassword设备。除此之外,请考虑强调您认为可能适合的任何其他策略。
Any other thoughts/suggestions/algorithm welcome.
任何其他想法/建议/算法欢迎。
Edit: Based on question from 'lassevk'
编辑:基于'lassevk'的问题
- The password would be communicated by email/phone/sms.
- There is no third site involved.
密码将通过电子邮件/电话/短信进行通信。
没有涉及第三个网站。
I require this for additional level of security for critical points in the application. This may also be called as "AuthenticationCode".
我要求它为应用程序中的关键点提供额外的安全级别。这也可以称为“AuthenticationCode”。
2 个解决方案
#1
Well It really differs from institutions to institutions
那么它从机构到机构真的不同
Creating a Financial PIN on the basis of Sessions would be more securer strategy rather then creating a FPIN that works for particular time period.
在会话的基础上创建财务PIN将是更安全的策略,而不是创建适用于特定时间段的FPIN。
If you have resources to SMS the FPIN then the best practice would be to Generate FPIN before every transaction and SMS the FPIN to user that would be some thing like 2FA.
如果您有资源发送短信FPIN,那么最佳做法是在每次交易之前生成FPIN,并将FPIN发送给用户,这可能是2FA。
Regards Azeem.
#2
Edit after updated question:
更新问题后编辑:
Well, one way would be to simply store it in the session variable, that would make it forcibly go away whenever the service is restarted.
好吧,一种方法是简单地将它存储在会话变量中,这将使它在重新启动服务时强行消失。
Additionally you would need to have a timer on it, basically you store expiration time+password somewhere, and whenever you check the password, if the expired time is in the past, you don't have a password and just clear it.
此外,你需要有一个计时器,基本上你在某个地方存储过期时间+密码,每当你检查密码时,如果过期的时间是过去,你没有密码,只需清除它。
If you encapsulate this away in some base code that not only checks if the right password is given, then it would need to be able to answer both yes, no, and no password stored so that you can give the appropriate message to the user.
如果您将其封装在一些不仅检查是否给出正确密码的基本代码中,那么它需要能够同时回答是,否和没有密码,以便您可以向用户提供相应的消息。
A couple of questions:
几个问题:
- How would you communicate the temporary password to the user? SMS?
- Is the password for the same site, or is it created for another, linked, site? (ie. your bank main site generates or gets hold of the password, and you use that to log on or authorize the transaction on another, related, site?)
您如何将临时密码传达给用户?短信?
是同一站点的密码,还是为另一个链接的站点创建的? (即您的银行主站点生成或获取密码,您使用它来登录或授权另一个相关的站点上的交易?)
If the answers are:
如果答案是:
- Via the website
- No, same site
通过网站
不,同一个网站
Then what's the point? What are you hoping to gain from this? What are the specific criteria or goal for implementing this feature?
那有什么意义呢?你有什么希望从中得到的?实现此功能的具体标准或目标是什么?
#1
Well It really differs from institutions to institutions
那么它从机构到机构真的不同
Creating a Financial PIN on the basis of Sessions would be more securer strategy rather then creating a FPIN that works for particular time period.
在会话的基础上创建财务PIN将是更安全的策略,而不是创建适用于特定时间段的FPIN。
If you have resources to SMS the FPIN then the best practice would be to Generate FPIN before every transaction and SMS the FPIN to user that would be some thing like 2FA.
如果您有资源发送短信FPIN,那么最佳做法是在每次交易之前生成FPIN,并将FPIN发送给用户,这可能是2FA。
Regards Azeem.
#2
Edit after updated question:
更新问题后编辑:
Well, one way would be to simply store it in the session variable, that would make it forcibly go away whenever the service is restarted.
好吧,一种方法是简单地将它存储在会话变量中,这将使它在重新启动服务时强行消失。
Additionally you would need to have a timer on it, basically you store expiration time+password somewhere, and whenever you check the password, if the expired time is in the past, you don't have a password and just clear it.
此外,你需要有一个计时器,基本上你在某个地方存储过期时间+密码,每当你检查密码时,如果过期的时间是过去,你没有密码,只需清除它。
If you encapsulate this away in some base code that not only checks if the right password is given, then it would need to be able to answer both yes, no, and no password stored so that you can give the appropriate message to the user.
如果您将其封装在一些不仅检查是否给出正确密码的基本代码中,那么它需要能够同时回答是,否和没有密码,以便您可以向用户提供相应的消息。
A couple of questions:
几个问题:
- How would you communicate the temporary password to the user? SMS?
- Is the password for the same site, or is it created for another, linked, site? (ie. your bank main site generates or gets hold of the password, and you use that to log on or authorize the transaction on another, related, site?)
您如何将临时密码传达给用户?短信?
是同一站点的密码,还是为另一个链接的站点创建的? (即您的银行主站点生成或获取密码,您使用它来登录或授权另一个相关的站点上的交易?)
If the answers are:
如果答案是:
- Via the website
- No, same site
通过网站
不,同一个网站
Then what's the point? What are you hoping to gain from this? What are the specific criteria or goal for implementing this feature?
那有什么意义呢?你有什么希望从中得到的?实现此功能的具体标准或目标是什么?