I am not sure if I am going about this the wrong way so I have come here to bounce this problem off of everyone for a little input!
Here is the situation:
Part of our Intranet contains a Client Database which is regulated by HIPPA Standards. Currently I base permissions to this system based off of the currently logged on user ([domain]\[user]) however, Management would now like to add another layer of security to this model.
What has been proposed is the use of .PFX files (possibly on USB Tokens) so that when employee X uploads or verifies a piece of data, the .PFX cert would be attached to the upload or verification to prove that the user is who they say they are.
Currently I have a Bestoken USB Token which I have installed a .PFX file on and, using their SDK I am able to enumerate through the token and read who the Certificate belongs to albeit I am not prompted to supply the password. (This is by design since I am just reading the name off of the cert and not actually using it to sign anything)
What I am caught up on is that all of the MSDN articles that I have read use certificates stored in the local store to provide authentication, however, this is undesireable since not all of our employees have their own pc. The most desireable endresult would be that the user selected the .PFX file, provided a password, and the document could then be verified.
Does anyone have any experience in doing something like this or any general advice to help me along?
Any help would be greatly appreciated.
Read this if you want to know how to get a correct reply for your question:
Technical Editor for: Professional Search Engine Optimization with ASP.NET
Why can't Programmers, program??