Random Character Password Authentication

This method of authentication does not require the full password, only random characters are typed in by the user. This is done in order to mitigate potential "person in the middle" type of cyber attacks. The number of asked random characters is 3. For example, if the password is "MyPassword" the user might be asked to provide the chars on positions 1,3,6 ('M','P','s'). The positions (indexes) asked are different on each attempt. The number of failed log-ins that block the user is 5. To support this, a new column was added to EbsMetadata.SystemUser, called PartialPass.This is populated by a json with the details necessary to validate the random character login.

Add the following setting in the web.config, under <appSettings> to enable the feature:

  • ebsauth-partial-password to true (default this is false),

  • within the keys that have the following structure:

<add key="core-setting-ebsauth-partial-password" value="true"/>


1 Capture the Username

In order to determine the password identity (such as the password length), the username is captured firstly. Once the identity is set, random characters can be extracted from the password.

2 Generate the random characters

When the user is asked to input random characters, they are from the entire range of the password, and not just the minimum required length.