POSSIBILITY OF SETTING UP TWO-FACTOR VERIFICATION ON LOGIN FORM (1 Viewer)

[adewale4favour]

Hi, just a quick one, I actually thought about this and want to ask if this is a possibility, integrating a two-factor verification on MS Access Login Form.

I have an application with multiple users, some times, it is discovered that some users spy on others' User credentials and they use them privately to do some sort of unauthorized transactions.

I just want to know, if there is a way to figure out a verification from the owner of these credentials.

Thanks.

 

[Gasman]

Send an email with some random generated word/number and get the user to enter that into the form, then check they are the same?

 

[Uncle Gizmo]

Send an email with some random generated word/number

I like!

You could easily bump it up to send an SMS message by using one of the email to SMS converter programs like trello? I recall using something like that in the distant past!

 

[Gasman]

Well I thought of a a text, but not everyone might have a phone?
They would at their computer, so the email should be available promptly?

 

[Josef P.]

I wonder if this "safety feature" will do any good on an access frontend.
Apparently someone has enough criminal energy to book something under another name. Does this person then perhaps also have enough energy to simply bypass the Access security system?

As a first step, I would save only the Windows user and the PC name in a log table each time they log in.
Maybe then it will turn out that it is simply because certain users just leave their application open when they leave the workplace or make the (wrong) booking themselves and just need an excuse.

 

[adewale4favour]

Well I thought of a a text, but not everyone might have a phone?
They would at their computer, so the email should be available promptly?

Yea, text will be okay, they mandatorily will need a phone. Is there any link to check up how to figure this out?

 

[Uncle Gizmo]

Yea, text will be okay

Do you mean SMS message will be okay?

 

[Uncle Gizmo]

Do you mean SMS message will be okay?

Assuming you do, and for anyone else looking for an SMS solution that works nicely from MS Access then go to the text local website for further information.

Please note you need to buy "credits" to use the service. Don't know what it costs these days.

The following are my notes about it from 2011, and could be out of date. Go to the website for the latest information.

Email From Field
Email to SMS must be sent from your registered email address on your Txtlocal Account. If you need to send an email to SMS message from another email address then talk to the administrator who may be able to add extra email addresses.

To & CC Fields
In order to send an email to text message, the recipient's email address needs to be inserted into the 'To' and 'CC' Fields using the following format: MobileNumber@txtlocal.co.uk.

Multiple Recipients
You can send the same email to text message to multiple recipients by adding more addresses in either the To or CC fields.

Subject Field (Optional)
All email to SMS texts will arrive addressed from your default sender name. If you wish to change this, usesender= in the subject line to send your messages from any 11 character name or up to 14 digit telephone number. You can also add an extra level of security by adding password= into your email, and selecting the require password option in your settings.

Message Termination
At the end of the message add: ##. Anything after the ## will not be sent.

Message Length Billing
You can type any email to text message, up to 612 characters. You will be billed for the following message lengths:

• 0 - 160 = 1 credit.
• 161 - 306 = 2 credits.
• 307- 459 = 3 credits.
• 460 - 612 = 4 credits.

Message Start
In some rare cases, you may need to let us know where your message starts. If you need to, add #%#before your message.

Bulk Recipients
In addition to placing bulk SMS recipients in the 'To' and 'CC' lines of the email, you can also place them after the ## terminator. For example:


Don't forget the meeting at 12:30pm.##

0777000000@txtlocal.co.uk

0777000001@txtlocal.co.uk

0777000002@txtlocal.co.uk

As with any email to SMS message, the text after the ## will not be sent to the handset, but a copy of the text will be sent to all the listed numbers.

Group Sending
You can send an Email to SMS message to a group you've already created on your Txtlocal account. To do this, send an email containing tlgrpXXXX@txtlocal.co.uk, where XXXX is the group ID you want to send to.

You can find the ID of a group by clicking on View Group ID in the advanced section of the Reports page in your Txtlocal account.

Password Security
You can also add an extra layer of security, ensuring we only send emails directly from you. By selecting the "Require Password" option within your settings, this will force any emails sent to include password=your password in the subject line.

 

[adewale4favour]

Do you mean SMS message will be okay?

yea

 

[sonic8]

integrating a two-factor verification on MS Access Login Form.

You are about to install a high security lock on a cardboard box.

 

[The_Doc_Man]

I have found that unless you have a fairly tight domain setup, spoofing is going to be an issue. Access starts life with a NO-factor authentication. We have had folks who have asked about biometric devices and of course it is possible to integrate something that has a well-defined program interface. However, the BEST method is if you have a good domain-level security, treat it as a "trust" situation. Look for some of Isladog's posts on user security, to identify the user by asking the domain. IF the domain is secured well enough, then your user identification can also be trusted. If your domain security cannot be trusted, your users will also be impossible to trust. It's that simple.

If you have ENOUGH provable examples of users spying on others and getting into their stuff, talk to your boss and see if your company allows the use of firing squads. That should be a good deterrent.

(You know I'm at least slightly joking about the firing squads, right?)

 

[Pat Hartman]

I have an application with multiple users, some times, it is discovered that some users spy on others' User credentials and they use them privately to do some sort of unauthorized transactions.

And these people have not been fired (or fired upon) because????

Using two factor authentication for every login will rapidly annoy all users, even the dishonest ones. Not to mention the cardboard box analogy

 

[LarryE]

it is discovered that some users spy on others' User credentials and they use them privately to do some sort of unauthorized transactions.

1. How are these transactions identified?
2. How do you identify who is using someone elses credentials?
3. Do you have a written policy against this behavior?
4. Do you enforce the policy?
5. What are the consequences?

Criminals will always find a way to circumvent control processes. It's a fact of life. Using added login procedures probably will not solve the problem. If someone is spoofing another employee and creating unauthorized transactions, you have a personnel problem, not a login problem.

 

[adewale4favour]

Thanks everyone, I am trying to figure out what exactly to do in this case. Already the management is taking steps to clean up the personnel found in this act. However, we are also going to work around the inclusion of two-step verification or other means of checking with this abuse.

Many thanks!