Frictionless Login

Frictionless Login 1.0.0 Beta 3

No permission to download
Overview FAQ Updates (2) History Discussion
I'm contemplating installing this one, but, I think if someone forgets their password, it doesn't let them update it without knowing the previous one, and "contact us" or "reset password" should be the better option. So that basically merely adds a vulnerability to your site if someone's email was hacked, they try to log in, receive this login link and wreak havoc as the user...
 
Saphira said:
I'm contemplating installing this one, but, I think if someone forgets their password, it doesn't let them update it without knowing the previous one, and "contact us" or "reset password" should be the better option. So that basically merely adds a vulnerability to your site if someone's email was hacked, they try to log in, receive this login link and wreak havoc as the user...
Click to expand...
If someones forum account pass is leaked, then this would work to protect them. Someone having the password to the email used on a forum means they can reset the password, so it would make no difference to use this or if their email was compromised.

This is not a security add-on.
 
Saphira said:
I think if someone forgets their password, it doesn't let them update it without knowing the previous one, and "contact us" or "reset password" should be the better option.
Click to expand...
If a user forgot its password and wants to restart actively using the XenForo instance, a password reset for sure is the better option than using a temporary login link.
But if a user that posted one thread a dozen years ago comes back now and just wants to ask one further question (but has forgotten its password in the meantime) but able to log in with just requesting a link is more straightforward tahn going through a full password recovery reset.

So IMHO it always depends on the usecase / scenario wether a login link would be useful or not.

So that basically merely adds a vulnerability to your site if someone's email was hacked, they try to log in, receive this login link and wreak havoc as the user...
Click to expand...
Yeah, this does increase the theoretical risk of accout abuse - if there is an attacker that has unauthorized access to an email account but doesn't know if there is a XenForo account for that email.

In this case he could just probe to get login links and use them on success - but he could also just probe password recovery.

The only way to stop forum accounts from being abused due to compromised email accounts is to use TFA.

Forsaken said:
If someones forum account pass is leaked, then this would work to protect them.
Click to expand...
Erm ... no?

If the forum account password is compromised an attacker can log in with the password (if TFA isn't enabled).
Using this Add-on does not change this, it just offers an additional option to log in via a temporary login link.
 
Kirby said:
If a user forgot its password and wants to restart actively using the XenForo instance, a password reset for sure is the better option than using a temporary login link.
But if a user that posted one thread a dozen years ago comes back now and just wants to ask one further question (but has forgotten its password in the meantime) but able to log in with just requesting a link is more straightforward tahn going through a full password recovery reset.

So IMHO it always depends on the usecase / scenario wether a login link would be useful or not.


Yeah, this does increase the theoretical risk of accout abuse - if there is an attacker that has unauthorized access to an email account but doesn't know if there is a XenForo account for that email.

In this case he could just probe to get login links and use them on success - but he could also just probe password recovery.

The only way to stop forum accounts from being abused due to compromised email accounts is to use TFA.


Erm ... no?

If the forum account password is compromised an attacker can log in with the password (if TFA isn't enabled).
Using this Add-on does not change this, it just offers an additional option to log in via a temporary login link.
Click to expand...
I hadn't had a chance to test with this, so assumed you could just disable login as well.
 
Forsaken said:
If someones forum account pass is leaked, then this would work to protect them. Someone having the password to the email used on a forum means they can reset the password, so it would make no difference to use this or if their email was compromised.

This is not a security add-on.
Click to expand...
Thanks, you are right. If you have access to the email, you can anyway reset the password.
 
You must log in or register to reply here.

Similar threads

The Dark Wizard
  • Suggestion Suggestion
Frictionless Login (Magiclink?)
Replies
8
Views
1K
Forsaken
Forsaken
AndyB
Login log [Paid]
Replies
0
Views
156
AndyB
AndyB
Ozzy47
[OzzModz] Failed Login Log
2
Replies
25
Views
687
Ozzy47
Ozzy47
Ozzy47
[OzzModz] Login Log
Replies
10
Views
301
Ozzy47
Ozzy47
Ozzy47
[OzzModz] ACP Failed Login Log
2
Replies
20
Views
518
Ozzy47
Ozzy47
Top Bottom