Not planned Login security: sending passwords over the channel - two stage authentication

Timothy Kaler · Aug 4, 2010

Currently passwords are being sent as typed by the user. A better strategy would be to have a two stage login process. First the user enters their username and password and presses "login." Then the user's username is posted to the server, and the server generates a random handshake string. This handshake string is returned to the user, and the server remembers that it assigned this specific handshake string to this user's username. Then the user's password is concatenated with the handshake string, and then a hash function is applied to generate an authentication string. Then this authentication string is posted to the server.

A little convoluted, but its super easy to implement. It doesn't give a site the same security as sending passwords over an encrypted connection, but it is pretty good.

~Tim

Jeremy · Mar 10, 2013

digitalpoint said:
True, but there's a lot of business transactions going on within my site... I'd think people selling stuff and using it as a marketplace would protect their accounts at least... There are 26,512 Facebook, AdSense, Analytics, PayPal, Google+ and Twitter accounts linked by users... yet only 45 bother with 2-factor auth.

I'm just a security weirdo I guess... {shrug}

Yeah, I plan on writing one that is just for me for one of my sites. Will eventually open it up to everyone if they'd like it.

Deebs · Mar 14, 2013

Finally got something to play with on my test install. At the moment it supports Google Authenticator and Yubikey (the mod is modular allowing you to add others in the future). Once we are happy it will be released as a free addon here at XF.

My account has both Google Authenticator and Yubikey associated with it, so to login I just need to provide my password and then ONE of the secondary authentication methods. The admin control panel is also protected by two factor authentication.

SheepCow · Apr 8, 2013

Just for completeness, this add-on has now been released and is available here:
http://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/

Jason · Apr 10, 2013

digitalpoint said:
I'm just a security weirdo I guess... {shrug}

I think most people just don't get how it works, thus how it'd benefit them. I'm sure plenty of other services have similar ratios. For example, I know we saw similar apathy with Google Accounts until we started promoting the **** out of it, like when people would log in to Gmail.

Something like http://goo.gl/Iy3MT (doesn't necessarily have to be so flashy) could help at least with the education part.

speedway · Apr 10, 2013

Jason said:
I think most people just don't get how it works, thus how it'd benefit them....

Very true. Never heard of it prior to Shawn using it on the XF version of Digitalpoint, read up on it and find it interesting. Turns out it is like my bank, and on screen password and a separate security tag that generates a random number. Will look into using it some day if only for my and my moderators accounts....

Mouth · Apr 10, 2013

speedway said:
if only for my and my moderators accounts....

I wish there was an option to force/mandate it's usage on my moderators!?

Not planned Login security: sending passwords over the channel - two stage authentication

Timothy Kaler

New member

Jeremy

in memoriam 1991-2020

Deebs

Well-known member

SheepCow

Well-known member

Jason

Well-known member

speedway

Well-known member

Mouth

Well-known member

Similar threads

We value your privacy