Ideas for secure authorization for office workers?

C

celovec2020-02-17 15:00:27

Web development

celovec, 2020-02-17 15:00:27

Management is afraid of phishing sites that an employee will visit and enter their logins and passwords.
They also do not want to put 2 factor authorization. Authorization by IP is not an option, it changes every day and sometimes several times a day.
The following idea appeared:
On the authorization page, we make a hidden input and a js function that looks at the localStorage auth-token entry, if it is empty, a new key is generated, if the auth-token already has a key, it is inserted into the hidden input. And it is sent to the server during authorization along with the login and the problem.
Next, the admin can click on the "Bind auth-token key" button for authorization. And thus, if the key is different, authorization will fail.
How do you like this way? What are the downsides you see?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

Robur, 2020-02-17
@celovec

If the sites are your own and the users are your own, then why is access only from internal IPs not suitable for you?
Or do you have phishing sites made by some employees to steal the passwords of other employees and everything inside the network? If so, then this is the last problem to be solved by technical means.

X

xmoonlight, 2020-02-17
@xmoonlight

Kroilovo!
The WOT plugin in the browser is needed and that's it.