Open source SOAP authentication module
The SMSAuthenticator is now open source and availiable for download. The module is developed by Norwegian Centre for Telemedicine as part of the project PasientLink (PatientLink).The SMSAuthenticator was originally developed to support secure communication between patients and the health care sector without requiring patients to obtain additional hardware. Since the module is run as a web-service, using SOAP to communicate with other software systems, it can be used in a wide range of applications where cost-effective and secure authentification is required.
SMSAuthenticator is an authentication module for situations where "username and password"-login provide insufficient security. The additional security is achieved by sending keys (single-use passwords) by SMS to the user's mobile phone. SMSAuthenticator solves some of the main problems with ordinary passwords (for instance password guessing and password sniffing) without requiring special hardware on the user's side.
The SMSAuthenticator implements a two-factor authentication process. In the first phase, the authenticator receives application generated requests for authentication of a specified user. When the request is received, a single-use password is generated and sent using GSM Short Messaging Service to a GSM cell phone registered on the specified user. The single-use password has a configurable timeout (default 5 minutes).
In the second phase of the authentication process, a request is made specifying the user id and a hash of the single-use password. If the specified password is valid, the user will be authenticated i.e. a boolean true value will be returned in the SOAP call.
The single-use passwords are generated using a secure random generator (using the SHA1PRNG-algorithm), and are held in-memory only, for a limited period of time. As soon as an authentication request has been completed, the single-use password is disposed of. User passwords may be generated when creating users, and are in accordance to FIPS PUB 181 (code is based on GPW).
The SMSAuthenticator has an easy to use web based administration interface, which can be configured to use the SMSAthenticator itself to ensure secure administration access. The module logs all activity, and can be configured to send logs to both the syslog and to the windows logging facility, or just to a plain file.
The SMSAuthenticator is java-based, and requires a java runtime environment (J2SE 1.2 or higher). It also requires a database with JDBC support (tested with PostgreSQL). It uses the following libraries:
- Apache SOAP - server-side infrastructure for deploying SOAP service
- gsmlib - for supporting a wide variety of GSM devices (both cell phones and standalone GSM modems)
- Log4J - logging
- Velocity - administration interface
- GPW - for generating pronouncable passwords
SMSAuthenticator has been tested on the following platforms: FreeBSD 4.5, Windows 2000 and Windows XP. It should run on any platform capable of running Java and the required libraries.
The authenticator is released under a BSD-license, and is availiable in .zip-format and .tar.gz-format. The archive includes installation instructions in the README-file and a WSDL-file describing the service.
PasientLink is a project by the Norwegian Centre for Telemedicine. The project is creating a secure infrastructure for communicating sensitive information between the Internet and a secure sone. The infrastructure consists of several separate modules, all communicating using SOAP. Several other of these modules will shortly be released under an open source license.
For technical information regarding the SMSAuthenticator:
For more information about the project PasientLink