HP OpenVMS Systems

ask the wizard
Content starts here

Extending User Password Authentication?

» close window

The Question is:

Is there a way to prompt a user logging on for the first time with a question
 as another level of authentification. If the question were not answered
 correctly login would not be allowed ?
PS your site is great

The Answer is :

  Please first read and understand (4612) and (5333), the former for
  the discussion of passwords and the latter for discussion of secondary
  The user has already authenticated themselves to OpenVMS, to the
  limits of the default password-based authentication mechanism.
  Put another way, why is the first login any different from any
  subsequent login?
  You are potentially publishing an algorthm-based scheme that will
  allow an arbitrary user to determine a pre-generated password for
  a particular username.  This approach is not recommended, for reasons
  that you are well aware: there is no particular authentication here,
  as a nefarious-minded user can often easily determine the password
  of another user.  If you must generate passwords for users, the
  OpenVMS Wizard would use and would assume the verification would
  occur at the time of the password generation, possibly via CGI
  scripts operating via a webserver.  Topics (558), (1165), (1284),
  (1990), (2912), (3700) and others may be of interest here.  The
  OpenVMS Wizard will assume a secure LAN, or an encrypted datalink
  between the webbrowser and the webserver; a level of trust and of
  encryption must be assumed, lest the password be unintentially
  Password- and authentication-related topics particularly include
  (4612), and also (1461), (1475), (1645), (2938), (3233), (3883),
  (4303), (4778), (5333), (5508), (6328), and (7818).   Among others.
  As for adding prompts into SYLOGIN, please see topics (1147), (2021),
  (2328), (2515), (3925), etc.  Please realize that you are now writing
  security-relevent code here, and your code can and potentially will
  become an obvious target for security attacks.  (If you choose to use
  SYLOGIN, security based on DCL can be difficult to protect against even
  causual examination, as well -- assuming that the user is not always
  CAPTIVE, that is.)
  The OpenVMS Wizard would also configure a pre-expired password, as
  this would force the password to be changed.  A related discussion
  of a one-shot login mechanism is discussed in topic (6874).
  If you wish to add to the authentication provided by OpenVMS, please
  see the LGI callout mechanism.

answer written or last revised on ( 5-FEB-2003 )

» close window