Multi-factor login authentication schemes inlcuding password recovery

[steve wright <steviewr1ght () yahoo com>]

Hello!
 
I need to design a web application that incorporates a
layered password login page since I can not use
client-side certificates etc for this project - but
need to beef up the usual password/username scheme.

Are there are good whitepapers that describes such as
a web application scheme, including the registration
process, where the user would need to provide a
passphrase, to be used as a shared secret in the
authentication process. To compliment this a secure
password recovery process is also needed. Something
along the lines of what many internet banks do these
days  with username  and password then reirection to a
new page with 3 random  characters from your
passphrase, plus a secure "forgot your password"
process to go with it.
 
Any pointers to resources which details such a scheme
with some nice process flows would be highly
appreciated...

What I have found so far on the net described some of
the above in a fragmented and incomplete manner. I
have yet to find a comprehensive guide/whitepaper that
does a good job of covering all aspects including
mapping out the required processes...
 
- SW


                
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com