RSA token security

RSA token security

  
Does anyone have experience with implementing RSA token security in Outsystems?
 
Is this complex? What do you need?
 
Thanks.
Niek.
Hi Niek,

No experience on my part, but I'd say that it should be as complex as RSA makes it. This is because you should need using the RSA SecurID Authentication Engine and use a .NET or Java wrapper for it. On the OutSystems' end, things should be very simple: all you'd need to do would be creating an extension that leverages the wrapper to validate user credentials and using it on the login flows instead of the built-in LoginPassword action.

The security token is needed just for login so everything else on your application could remain unchanged.

I don't know the specifics of RSA's approach, but there are lots of implementations of the standard TOTP and HOTP time-based one-time password algorithms.

Cheers,
Miguel
Hi!

I was asked by Davide Marquês to give some ideas here and I don't mind to (although I'm not working with Outsystems anymore, so apologize for any outdated information) :-)

At the time, what I needed to was to create a key pair on my side. The problem is that the user  running Outsystems environment appeared to be an "abstract" user and, because of that, he didn't have any keystore associated. At the time I didn't need access to a keystore but it looks like that the .net RSA implementation automatically tries to access the user keystore. My goal was to avoid that - since I don't even need it - and I got it by doing:

CspParameters RSAParams = new CspParameters();
RSAParams.Flags = CspProviderFlags.UseMachineKeyStore; //this line does the trick!
RSACryptoServiceProvider sp = new RSACryptoServiceProvider(1024, RSAParams);
From that time on I was able to create the key pair.

I didn't integrate with any external server as it was out of scope but I believe it won't be rocket science, however, it depends how you want to do it... using USB tokens? Authentication card? If so, keep in mind that you may need to use any Java applet or ActiveX (silverlight now) for that as HTML/JS cannot access the computer physical buses
Thanks Miguel and Miguel! :)
Hi Guys,

Do you have created any extension in the mean time? I would like to implement it as well...
If you have any additional suggestion about it would be great. I'm not so advance on creating extension so please be patient :-)

Thanks

Simone