Frictionless Login

Frictionless Login 1.0.0 Beta 3

No permission to download
I'm contemplating installing this one, but, I think if someone forgets their password, it doesn't let them update it without knowing the previous one, and "contact us" or "reset password" should be the better option. So that basically merely adds a vulnerability to your site if someone's email was hacked, they try to log in, receive this login link and wreak havoc as the user...
 
I'm contemplating installing this one, but, I think if someone forgets their password, it doesn't let them update it without knowing the previous one, and "contact us" or "reset password" should be the better option. So that basically merely adds a vulnerability to your site if someone's email was hacked, they try to log in, receive this login link and wreak havoc as the user...
If someones forum account pass is leaked, then this would work to protect them. Someone having the password to the email used on a forum means they can reset the password, so it would make no difference to use this or if their email was compromised.

This is not a security add-on.
 
I think if someone forgets their password, it doesn't let them update it without knowing the previous one, and "contact us" or "reset password" should be the better option.
If a user forgot its password and wants to restart actively using the XenForo instance, a password reset for sure is the better option than using a temporary login link.
But if a user that posted one thread a dozen years ago comes back now and just wants to ask one further question (but has forgotten its password in the meantime) but able to log in with just requesting a link is more straightforward tahn going through a full password recovery reset.

So IMHO it always depends on the usecase / scenario wether a login link would be useful or not.

So that basically merely adds a vulnerability to your site if someone's email was hacked, they try to log in, receive this login link and wreak havoc as the user...
Yeah, this does increase the theoretical risk of accout abuse - if there is an attacker that has unauthorized access to an email account but doesn't know if there is a XenForo account for that email.

In this case he could just probe to get login links and use them on success - but he could also just probe password recovery.

The only way to stop forum accounts from being abused due to compromised email accounts is to use TFA.

If someones forum account pass is leaked, then this would work to protect them.
Erm ... no?

If the forum account password is compromised an attacker can log in with the password (if TFA isn't enabled).
Using this Add-on does not change this, it just offers an additional option to log in via a temporary login link.
 
If a user forgot its password and wants to restart actively using the XenForo instance, a password reset for sure is the better option than using a temporary login link.
But if a user that posted one thread a dozen years ago comes back now and just wants to ask one further question (but has forgotten its password in the meantime) but able to log in with just requesting a link is more straightforward tahn going through a full password recovery reset.

So IMHO it always depends on the usecase / scenario wether a login link would be useful or not.


Yeah, this does increase the theoretical risk of accout abuse - if there is an attacker that has unauthorized access to an email account but doesn't know if there is a XenForo account for that email.

In this case he could just probe to get login links and use them on success - but he could also just probe password recovery.

The only way to stop forum accounts from being abused due to compromised email accounts is to use TFA.


Erm ... no?

If the forum account password is compromised an attacker can log in with the password (if TFA isn't enabled).
Using this Add-on does not change this, it just offers an additional option to log in via a temporary login link.
I hadn't had a chance to test with this, so assumed you could just disable login as well.
 
If someones forum account pass is leaked, then this would work to protect them. Someone having the password to the email used on a forum means they can reset the password, so it would make no difference to use this or if their email was compromised.

This is not a security add-on.
Thanks, you are right. If you have access to the email, you can anyway reset the password.
 
Can we force the login link sent via email only and not accept username/email and password combinations if they fail at least once?
For that IP like for an hour.
 
@rdn
Currently this is not possible, but I could probably add such a feature.
But would it make sense for this Add-on?
The idea was to simply Log-in (for users that habe trouble with their password), but this sounds more like a security feature idea?
 
With so many compromised email/username/password combination, someone can try and guess someone's login.

force the login link sent via email only and not accept username/email and password combinations if they fail at least once.
For that IP like for an hour.
If this is added, it would slow them down.
 
Back
Top Bottom