>Hello,
>
>I am moving my windows application to the web. I am looking for a good way to "ensure" security so that only my clients are able to log in to the website hosting the application.
>
>What I am thinking is that if I have my clients install a small program on their client computers that embeds a security key in their registry, then I can check the security key prior to allowing them to log into a website. If the security key is not present, they are immediately turned away without getting a chance to enter a username/password. This way, I am sure that only those client computers that have installed the security key can connect to the web application, then when the security key is confirmed, the user will have a username/password for additional security. Of course, all of this will be done inside a secure SSL connection.
>
>Has anyone done anything like this? I would like suggestions and code on how to do this.
>

That's not going to work (at least, not without some kind of ActiveX control) - you don't have access to the registry from a web page. If your clients have a static IP address you can lock the login page to only allow access from those addresses; this is the simplest way to at least gain a bit more security. You can also use client certificates - be aware, this can be complicated to get installed and working correctly and will be a source of continuing support calls from your clients. I've seen very large companies try this and back away from it because of the complexities (ex. when it works, it just works, but it can fail for no apparent reason).

I'd think long and hard about whether it's really necessary to lock down to a specific PC for a web based app. Most of them will just cause you (and your customers) more grief than it's worth. You would probably be better off doing things like only allowing some number of logins for the accounts, locking to a specific IP address, etc.