Project Anvil

Thats right folks. After an amazingly challenging week, I can now authenticate my CryptoCard hardware tokens against Anvil! The most difficult and important piece is now done.

I wanted to share in the experience with my readers, and recorded the first officially working authentication request and response to the Anvil Web Service in a screencast. Watch it to see how easy it is to send a SOAP request or HTTP post to communicate with the strong authentication server. Thats right... only a few lines of code are needed to consume the web service and offer strong authentication in pretty much anything... from PHP and Ruby on Rails to Perl and ASP.NET.

If the demo feels a bit slow, thats because it's in debug mode, on a slow TabletPC with tonnes of tracing turned on while Camtasia records everything. Even still, the responses come in pretty fast considering all the crypto behind the scenes.

You may notice the response is a simple XML message with a boolean. You may be asking yourself how come there is no detailed response on a failure. The details ARE in the audit log... but I chose NOT to disclose the reason for the failure against the request. During threat modeling I decided that was too much information disclosure that a potential attacker could use against the server. If a valid user truly is having troubles (which I believe will be rare), they will have the ability to resync their tokens and reset their PINs in a future release. I decided not to pursue those features for version 1 of Anvil.

I am really happy with this piece falling into place before the week ended. I expected this would be the most difficult piece of the puzzle, and with it out of the way I can now focus back on the IAS issues that Microsoft PSS is still working on.

Have a great weekend! I know I intend to.

Anvil Web Service Screencast [Flash ~9MB]