POSSIBILITY OF SETTING UP TWO-FACTOR VERIFICATION ON LOGIN FORM

[adewale4favour]

Hi, just a quick one, I actually thought about this and want to ask if this is a possibility, integrating a two-factor verification on MS Access Login Form.

I have an application with multiple users, some times, it is discovered that some users spy on others' User credentials and they use them privately to do some sort of unauthorized transactions.

I just want to know, if there is a way to figure out a verification from the owner of these credentials.

Thanks.

 

[Gasman]

Send an email with some random generated word/number and get the user to enter that into the form, then check they are the same?

 

[Gasman]

Well I thought of a a text, but not everyone might have a phone?
They would at their computer, so the email should be available promptly?

 

[Josef P.]

I wonder if this "safety feature" will do any good on an access frontend.
Apparently someone has enough criminal energy to book something under another name. Does this person then perhaps also have enough energy to simply bypass the Access security system?

As a first step, I would save only the Windows user and the PC name in a log table each time they log in.
Maybe then it will turn out that it is simply because certain users just leave their application open when they leave the workplace or make the (wrong) booking themselves and just need an excuse.

 

[adewale4favour]

Well I thought of a a text, but not everyone might have a phone?
They would at their computer, so the email should be available promptly?

Yea, text will be okay, they mandatorily will need a phone. Is there any link to check up how to figure this out?

 

[adewale4favour]

Do you mean SMS message will be okay?

yea

 

[sonic8]

integrating a two-factor verification on MS Access Login Form.

You are about to install a high security lock on a cardboard box.

 

[The_Doc_Man]

I have found that unless you have a fairly tight domain setup, spoofing is going to be an issue. Access starts life with a NO-factor authentication. We have had folks who have asked about biometric devices and of course it is possible to integrate something that has a well-defined program interface. However, the BEST method is if you have a good domain-level security, treat it as a "trust" situation. Look for some of Isladog's posts on user security, to identify the user by asking the domain. IF the domain is secured well enough, then your user identification can also be trusted. If your domain security cannot be trusted, your users will also be impossible to trust. It's that simple.

If you have ENOUGH provable examples of users spying on others and getting into their stuff, talk to your boss and see if your company allows the use of firing squads. That should be a good deterrent.

(You know I'm at least slightly joking about the firing squads, right?)

 

[LarryE]

it is discovered that some users spy on others' User credentials and they use them privately to do some sort of unauthorized transactions.

1. How are these transactions identified?
2. How do you identify who is using someone elses credentials?
3. Do you have a written policy against this behavior?
4. Do you enforce the policy?
5. What are the consequences?

Criminals will always find a way to circumvent control processes. It's a fact of life. Using added login procedures probably will not solve the problem. If someone is spoofing another employee and creating unauthorized transactions, you have a personnel problem, not a login problem.

 

[adewale4favour]

Thanks everyone, I am trying to figure out what exactly to do in this case. Already the management is taking steps to clean up the personnel found in this act. However, we are also going to work around the inclusion of two-step verification or other means of checking with this abuse.

Many thanks!