Skip to main content

How do I set up Mutual HTTPS Authentication?

Mutual HTTPS Authentication can add a lot of security to your two-factor authentication setup by thwarting most network-based MiTM attacks.  Here are somethings to consider:

  • You must decide to implement mutual https authentication before rolling out tokens to your users.
  • It is only used for SSL-based websites and SSL-VPNs where the browser is used.
  • When you add an https url in the Registered URL box on the domain configuration page, the server grabs the cert, hashes is and stores it.  Any token registered AFTER this will fetch the cert over the user's connection, hash it and compare it to the hash delivered with the OTP.  If they don't match, an error is thrown. If they do, the OTP is presented and the browser is launched to the Registered URL.
  • If you change the URL on the domain page, you have to re-register all the tokens!
  • If a user is getting an error, there is a possibility of a MiTM attack.
Current rating: 1

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom