Frictionless Login

Frictionless Login 1.0.0 Beta 3

No permission to download
Overview FAQ Updates (2) History Discussion
I'm contemplating installing this one, but, I think if someone forgets their password, it doesn't let them update it without knowing the previous one, and "contact us" or "reset password" should be the better option. So that basically merely adds a vulnerability to your site if someone's email was hacked, they try to log in, receive this login link and wreak havoc as the user...
 
Saphira said:
I'm contemplating installing this one, but, I think if someone forgets their password, it doesn't let them update it without knowing the previous one, and "contact us" or "reset password" should be the better option. So that basically merely adds a vulnerability to your site if someone's email was hacked, they try to log in, receive this login link and wreak havoc as the user...
Click to expand...
If someones forum account pass is leaked, then this would work to protect them. Someone having the password to the email used on a forum means they can reset the password, so it would make no difference to use this or if their email was compromised.

This is not a security add-on.
 
Saphira said:
I think if someone forgets their password, it doesn't let them update it without knowing the previous one, and "contact us" or "reset password" should be the better option.
Click to expand...
If a user forgot its password and wants to restart actively using the XenForo instance, a password reset for sure is the better option than using a temporary login link.
But if a user that posted one thread a dozen years ago comes back now and just wants to ask one further question (but has forgotten its password in the meantime) but able to log in with just requesting a link is more straightforward tahn going through a full password recovery reset.

So IMHO it always depends on the usecase / scenario wether a login link would be useful or not.

So that basically merely adds a vulnerability to your site if someone's email was hacked, they try to log in, receive this login link and wreak havoc as the user...
Click to expand...
Yeah, this does increase the theoretical risk of accout abuse - if there is an attacker that has unauthorized access to an email account but doesn't know if there is a XenForo account for that email.

In this case he could just probe to get login links and use them on success - but he could also just probe password recovery.

The only way to stop forum accounts from being abused due to compromised email accounts is to use TFA.

Forsaken said:
If someones forum account pass is leaked, then this would work to protect them.
Click to expand...
Erm ... no?

If the forum account password is compromised an attacker can log in with the password (if TFA isn't enabled).
Using this Add-on does not change this, it just offers an additional option to log in via a temporary login link.
 
Kirby said:
If a user forgot its password and wants to restart actively using the XenForo instance, a password reset for sure is the better option than using a temporary login link.
But if a user that posted one thread a dozen years ago comes back now and just wants to ask one further question (but has forgotten its password in the meantime) but able to log in with just requesting a link is more straightforward tahn going through a full password recovery reset.

So IMHO it always depends on the usecase / scenario wether a login link would be useful or not.


Yeah, this does increase the theoretical risk of accout abuse - if there is an attacker that has unauthorized access to an email account but doesn't know if there is a XenForo account for that email.

In this case he could just probe to get login links and use them on success - but he could also just probe password recovery.

The only way to stop forum accounts from being abused due to compromised email accounts is to use TFA.


Erm ... no?

If the forum account password is compromised an attacker can log in with the password (if TFA isn't enabled).
Using this Add-on does not change this, it just offers an additional option to log in via a temporary login link.
Click to expand...
I hadn't had a chance to test with this, so assumed you could just disable login as well.
 
Forsaken said:
If someones forum account pass is leaked, then this would work to protect them. Someone having the password to the email used on a forum means they can reset the password, so it would make no difference to use this or if their email was compromised.

This is not a security add-on.
Click to expand...
Thanks, you are right. If you have access to the email, you can anyway reset the password.
 
Can we force the login link sent via email only and not accept username/email and password combinations if they fail at least once?
For that IP like for an hour.
 
@rdn
Currently this is not possible, but I could probably add such a feature.
But would it make sense for this Add-on?
The idea was to simply Log-in (for users that habe trouble with their password), but this sounds more like a security feature idea?
 
With so many compromised email/username/password combination, someone can try and guess someone's login.

rdn said:
force the login link sent via email only and not accept username/email and password combinations if they fail at least once.
For that IP like for an hour.
Click to expand...
If this is added, it would slow them down.
 
You must log in or register to reply here.

Similar threads

Ozzy47
[OzzModz] Failed Login Log
2
Replies
26
Views
742
duderuud
duderuud
Ozzy47
[OzzModz] Login Log
Replies
11
Views
334
christisking
C
Steffen
Adding a Passkey implicitly enables 2FA which effectively disables password-based login and unexpectedly makes account recovery impossible
Replies
0
Views
36
Steffen
Steffen
Ozzy47
[OzzModz] ACP Login Log
Replies
6
Views
224
Ozzy47
Ozzy47
Ozzy47
[OzzModz] ACP Failed Login Log
2
Replies
20
Views
533
Ozzy47
Ozzy47
Back
Top Bottom