SQRL / Google Authenticator Server Side code

Does anyone have library code to verify a login using Google Authenticator?

I had a look at the coding required and my head is starting to spin
https://www.codementor.io/slavko/google-two-step-authentication-otp-generation-du1082vho

I did a search on the CapeSoft site to see if it is included in CryptoNite or something, but either I’m looking for the wrong thing or it isn’t there. I need to protect medical information on a website and I’m worried that a username and password just isn’t good enough.

I’m also not competent enough to write the Clarion code for SQRL yet. https://www.grc.com/sqrl/sqrl.htm

Any suggestions?

1 Like

Hi Donn,

so I should prefix this by saying that I dislike talking about projects before they ship because all sorts of things can interfere with timelines and features.

However it’s not a secret that I’ve been working on a massive Secwin update this year (Secwin 7) which I’m hoping will get to release stage sometime over this (our) summer. My goal was to ship before the end of the year, but that looks optimistic, so maybe Jan or Feb next year.

You are right to be concerned. We live in an age when data protection is important, and we need to think about things like this. There are many parts to protecting the data (the MyTable release this coming Friday is part of it) and logins are an important part of the equation.

I’ve already written the new login functionality for Secwin, so I feel comfortable discussing this part.

Logins are complicated because they balance convenience with security. If the security is too inconvenient then people can’t (or won’t) use the program. Too convenient though and the data is not secure. The balance will change from one customer to another. For example some password policies, in common use, have been shown to reduce security not increase it. But some customers insist on these policies, so you have to be able to enforce them “on demand”. I’ve come to realise that this is a customer policy not a developer policy so it’s important for the program to “support everything” and thus let the customer decide which policies they want.

Second (and Third) factor authentication is part of this. I’ve already coded support for SMS and Email second factor authentication, but not yet Google Authenticator. However I’ve designed it to be extensible specifically to allow the adding of something like this (and I suspect it will be added before, or after, Secwin 7 is released.)

But second factor is more than just “implement xxx authentication”. It’s also about when to do it. First time on a new machine? Once a month? Everytime? and so on. Should you allow via Email? via SMS? both? Either? So like with logins there are a lot of possible policies here too.

In addition to this I’ve also added support for Active Directory logins (with or without using the Windows user name), salted-hashed passwords, and a bunch of other login possibilities. It took 5 weeks of solid work, just to do the login screen because there are a lot of parts that had to come together to make it all work easily.

This is just the tip of the Secwin iceberg - there are a lot of other things coming that will appeal to old Secwin, and non-Secwin users. Security has to be done right - it’s something I take very seriously and is obviously very important to both Desktop and Web apps. Hopefully I’ll get to a shipping point before tooo much longer.

cheers
Bruce

1 Like

Thanks for sharing. What a relief!
I will insist on long passwords (we will use lastpass to generate and store random passwords) and I’m sure this will be enough until Secwin 7 ships. If you can add support for SQRL at a later date that will be even better.

Hi Donn,

The Chilkat Comms library includes support for Google Authentication and of course our Clarion Wrapper templates covers this too.

In fact, some of our task classes (built into the wrapper template) use the Google Auth class to provide support for Google services like Calendar, Task, Docs etc.

A link to the Google Auth chilkat class is here - https://www.chilkatsoft.com/refdoc/goLang_AuthGoogle_Ref.html

Plus a demo of our example app in action is availabe here - https://noyantis.com/store/index.php?rt=product/product&path=76&product_id=141

Any questions, please feel free to ask :slight_smile: or, drop in on our weekly usergroup webinar and I’ll walk you through some of the capabilities of the class.

Thanks,

Andy

1 Like

Thanks Andy. Can I assume that the wrapper will work on the backend of a NetTalk web application?

I believe it does.

We have customers who are using parts of it (the QuickBooks Online task class) within a Nettalk server.
They use the control and our class to connect and query QBO, then present the data within the Nettalk server pages. The user can then update via server pages etc and our class performs the QBO updates from the page contents.

Regards,

Andy

1 Like

We’ve also done work where we use the same approach (but using the PaySimple task class) within a Clarion H5 server.

Exact same approach, just using the power of the chilkat class on the backend and presenting the results on pages to the end user :slight_smile:

Just to keep singing my song (and to throw this thread to a tangent), Bruce…

Maybe Secwin and its integration with NetTalk will be the ideal time to look at the challenge authentication scenario I asked about on NetTalk Central last year:

http://www.nettalkcentral.com/forum/index.php?topic=7871.0

Cheers,

Jane