2-Factor Authentication for SensorWeb

Posted by Patrice Cappelaere Tue, 29 Dec 2009 03:48:00 GMT

Securing transactional RESTFul OGC Web Services is a challenge but can be done using a hybrid OpenID/OAuth protocol (see OGC OWS-6 interoperability demonstration).

To increase the security assurance level beyond level-1, you need to use more than one authentication factor such as: something you know (password) and something you have (keyfob).  Our openid server is currently being upgraded to support Verisign Identity Protection (VIP) and VIP Access using Mobile Credentials (free for end-users).

If you register a credential in your profile, a security code can now be used in addition to a password to gain access to the SensorWeb services.  A security code can also be used to delegate user authority to consumer applications such as workflows to access services on your behalf.  Credentials will become mandatory to gain access to satellites and UAV tasking request over the web.  There will still be an air gap between users and assets but, at least, user identity will be known with very high confidence.

Our goal is to demonstrate that it can be done simply, cheaply and RESTfully.


Leave a comment