1

I have an interesting use case where users need to authenticate to applications running in environments that might not have internet access or even access to an authentication server. Administrators need to be able to grant and revoke access to individual users without direct access to the application. The admins would rather not maintain and operate the solution though. Does any authentication provider or service exist that can do the trick?

I have already explored OCRA services such as Protectimus and Gemalto, and also RSA SecurID, but to verify challenge responses they all seem to require that the application call their servers.

Another possibility is to use an OpenConnect ID provider such that a user logs in via her mobile device, get an id token, and copy it into the application. However, the application still needs to have up-to-date signing keys or the client secret. More critically though, the user might not have a practical way to copy the token into the app in practice, as the token can be long.

More Info

If it helps clarify the reason for these requirements:

  • The users are support personnel from my company.
  • The application runs in its own VM in another company's internal network.
  • At this time, the app and VM are "closed". Only my company's support team are allowed to log in to its support account -- not the customer.
Raul Santelices
  • 111
  • 5
  • 2
    I would change your design or your expectations. What are you trying to protect with this scheme? Revoke access from a disconnected device? Does it need to be instant? There are lots to be learned from the models used pre-internet. Have you thought about a self-locking app that requires a weekly/monthly key? – schroeder Oct 13 '17 at 22:13
  • 2
    i believe the question will get more attention if you tell us more about the application as if it is running standalone or built on a n-tier architecture. – elsadek Oct 13 '17 at 22:16
  • Revoking access does not need to be instantaneous. Requiring periodic activation is an interesting idea but it would be pretty annoying for everyone. – Raul Santelices Oct 16 '17 at 13:47

1 Answers1

1

All security solutions will need to call a service of some kind since you need separation between the application and the security provider.

However, that doesn't mean they have to be on different physical servers and certainly not that they have to be on the Internet. If you have no network at all, your users won't be able to access the server so I'm assuming you have a local network with no Internet.

With only a single server, your options are limited and security will be limited too. The best option in this case will be a hardware security store. The security is offloaded to the hardware which ideally both stores keys and does the authentication processing.

Otherwise, local key servers will provide some measure of security but, of course, when active, they are susceptible to memory attacks.

Moving to multiple physical or logical servers is better, especially if the security server is isolated on it's own secure network since that reduces the attack surface.

All depends on the value of your data and the risk appetite you have.

Julian Knight
  • 7,092
  • 17
  • 23