Many large web services nowadays support 2-step verification to enhance the security for their users. [...] The main point about 2-step verification is that something else than your computer provides that token. If it's on your computer and that one gets stolen (or hacked into), it won't help much for the additional security. That's why you need a second device for those tokens.

They link to this library that can help you implement something similar to Google's Authenticator tool for your application.

Lets make something clear from the very start: JUST BECAUSE THERE IS https:// IN THE URL OF THE REMOTE SERVICE IT DOES NOT MEAN THE CONNECTION IS SECURE! I am sorry for the tone of this post but i am enraged by how popular this issue is online. If you ask why i suggest a little experiment [involving changing your hosts file and using a self-signed certificate].

The issue he spotlights is all too common - a server serves up SSL pages but doesn't actually verify the certificate in the process. He gives a bad example of how some scripts handle this issue using the CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to turn off this verification - a very bad idea. To protect yourself from any kind of man-in-the-middle or DNS hijack issues, you should leave these on.

The main point about 2-step verification is that something else than your computer provides that token. If it's on your computer and that one gets stolen (or hacked into), it won't help much for the additional security. That's why you need a second device for those tokens. Some banks do that with SMS/Text Messages (Facebook, too), other give you special devices for that (eg. RSA keys) and the last group does it with your smartphone.

At the request of a client, they created a tool that did just this, but for PHP. As a result, they created the GoogleAuthenticator library that makes it easy to implement in your application. There's even an example of it in use. For more information about the Google Authenticator tool, see this page on Google Code.

Many times a requirement arises where we are supposed to expose an API for intended users, who can use these API endpoints to GET/POST data on our servers. But how do we verify that only the intended users are using these API's and not any hacker or attacker. In this blog post, I will show you the most elegant way of adding content verification using hash_hmac (Hash-based Message Authentication Code) in PHP. This will allow us to restrict possible misuse of our API by simply issuing an API key for intended users.

You set up a private and public key for each of the users wanting to connect to the resource. They can then use the hmac functionality to set those over to the requesting page as a part of the message (GET/POST) where the public key is used to check the validity of the request and either allow or deny it.

Have you ever created an account with a website, and were required to check your email and click through a verification link sent by the company in order to activate it? Doing so highly reduces the number of spam accounts. In this lesson, we'll learn how to do this very thing!

The system takes a user's information via the signup page (username and email address), does some checking on the input, inserts the information into a backend MySQL database and sends a validation email to the user's address. The email contains a custom link the user then clicks on that confirms them as a validated account.

The following article includes code and examples on how to prevent bots from taking part in online polls, registering for free email accounts, more recently, preventing bot-generated spam by requiring that the (unrecognized) sender pass a CAPTCHA test before the email message is delivered [implemented in Yahoo]. They have also been used to prevent people from using bots to assist with massive downloading of content from multimedia websites.

First, they create the form the entire example centers around before even looking at the code. With that laid down and explained, they get into the image creation and addition of the string to make the "humans only" image. Finally, they show how to check the word entered for the CAPTCHA verification against a session variable to see if they're a match.

So, as said, I've needed to whip together a user registration system, where the user can simply and easily hop onto a page, fill in a couple of text fields, hit submit and they've got an account, all setup and ready to go. Alot of this was simplified by the database design of the system, but I guess I can cover that in another article.

One of the problems with creating a non-administrated user registration system is verification. I really really don't want bots or anything other than a person that actually wants it registering accounts. It creates unwanted nuisances and erroneous data that I could really live without.

He touches on two methods for preventing these nuisances - varification emails and CAPTCHAs. Obviosuly, he opts to go with the latter, and, before even starting, outlines his requirements. He leads you along, step by step, through code and explainations to help create a small CAPTCHA image with the help of the GD library. In the end, you'll have an image with plently of background noise to fool bots, but clear enough for a human to read. The full code for the script is posted at the end.

Many topics on the discussion forums deal with the verification of form data. Often it is checked to determine whether or not the submission is from a user or from a "bot", if the email address entered is a valid address, or if all the information that is required has been entered into the form.

While it's fairly easy to check to see if a form field is empty, determining if the posted information came from a real human is another task altogether. Most forms now include image verification for just this reason. This article will demonstrate how to create a simplified image verification system.

They walk you through the code, explainign each step of the way. They start with the creation of a random string, background, and font color for the CAPTCHA image to use. It's flexible enough to make either a string or just a word, too. Once the string is made, they set up the image to be written to and push each letter into it, rotating it to make it that much more difficult for scripts to try to understand its contents.]]> Fri, 03 Mar 2006 06:46:42 -0600