Security Beyond a Username/Password?

Question

I have a webapp that requires security beyond that of a normal web application. When any user visits the domain name, they are presented with two text fields, a username field, and a password field. If they enter a valid user/pass, they get access to the web application. Standard stuff.

However, I'm looking for additional security beyond this standard setup. Ideally it would be a software solution, but I'm also open for hardware solution as well (hardware=key fobs), or even procedural changes (one time use passwords on a password pad for example).

The webapp is unique in that we know all our users ahead of time, and we create their username and password and give it to them. In this sense, we can be assured that the username and password are "strong".

However, our clients have requested additional security beyond this. Anyone have any ideas on how to add another layer of complexity to the security?

Answer 1

Our company used PhoneFactor and we absolutely love it.

We've also used Safeword Tokens in the past.

However, it's notthe only game in the book. I'd start by googling "Two factor authentication"

The OWASP guide to authentication is another good place to start. Actually, OWASP is the first place I'd look for ANY web security question.