Authenticating users on offline devices such as ipad
We are wanting to authenticate the user inside a webapp (javascript/html inside browser) running on a tablet, but want to be able to do this when the device is offline from the network. I realise this isn't super secure environment already, but I dont want to make it less secure by a poor authentication method.
The environment is a web app that runs on ipads inside a corporate network. Users take and share ipads (thats ok) but we need to authenticate that the current user of the webapp is valid, blocking random people/staff that might pick up the device. Network connectivity is not 100% and this cannot be readily improved. Our aim is more validation for audit purposes than security control, we need show that user X performed the action on the ipad.
Authenticating when we are on the network is easy, send a packet to server and get a yes/no response. However if we are offline we cannot do that. I could download all users and password hashes to the ipad, but this seems like a bad idea - I've just exported the password file, this just feels wrong.
The next idea was seperate online and offline passwords, but that seems too hard for users. We also considered trusting the login and defering validation until we are back online, but that has business/application issues. Currently, we're going with normal passwords for main app as normal, but using a visual password on ipads, basically two passwords but presented different so users dont perceive it to be the same. Having two passwords means we can have different policies, controls and audits.
Are there any better ways of doing this?
We are wanting to authenticate the user inside a webapp (javascript/html inside browser) running on a tablet, but want to be able to do this when the device is offline from the network. I realise this isn't super secure environment already, but I dont want to make it less secure by a poor authentication method.
The environment is a web app that runs on ipads inside a corporate network. Users take and share ipads (thats ok) but we need to authenticate that the current user of the webapp is valid, blocking random people/staff that might pick up the device. Network connectivity is not 100% and this cannot be readily improved. Our aim is more validation for audit purposes than security control, we need show that user X performed the action on the ipad.
Authenticating when we are on the network is easy, send a packet to server and get a yes/no response. However if we are offline we cannot do that. I could download all users and password hashes to the ipad, but this seems like a bad idea - I've just exported the password file, this just feels wrong.
The next idea was seperate online and offline passwords, but that seems too hard for users. We also considered trusting the login and defering validation until we are back online, but that has business/application issues. Currently, we're going with normal passwords for main app as normal, but using a visual password on ipads, basically two passwords but presented different so users dont perceive it to be the same. Having two passwords means we can have different policies, controls and audits.
Are there any better ways of doing this?
No comments:
Post a Comment