[imp] IMP Security Idea

[Lee]

I can tell you from our setup alone (cyrus->ldap) Password AND a Pin is 
going to be a disaster to implement on the backend mail 
server/directory that horde authenticates against. **HOWEVER** I think 
you are really on to something cool with the idea. What about a link on 
the login page that causes a dhtml layer (slightly random location) 
with a full keyboard to popup below the username/password fields so 
that users can type their password in by clicking the "keys" with their 
mouse. Implemented correctly this would work transparently with both 
horde and any mail server / directory horde authenticates off. Beyond a 
little creative DHTML, it shouldnt be too complex to implement either.

Lee

On Jul 6, 2004, at 7:19 PM, Jon Poland wrote:

> Hi,
>   One thing I've always hated about webmail is I tend to check it from
> machines I don't trust.  You walk into a webcafe in Mexico, the 
> computers
> are wide open and allow any software to be installed.  But you need to
> check email to get some info, do you take your chances with keyboard
> sniffers and such?
>    How about this: augment the login screen with a click based PIN.  
> I've
> attached a screenshot.  Proper login requires both a password and 
> proper
> PIN.  The location and size of the buttons is random(to defeat mouse
> capture devices), but always in the same order (to not annoy the user).
>    I applied this against IMP 3.2 and am trying to gauge interest.  
> I'd be
> happy to provide a tar of my dir, or possibly diffs.  It needs more 
> work,
> but is fully implemented (users can change their PIN via the web).
>
> - JP<ss.png>--
> IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org