Not planned Login security: sending passwords over the channel - two stage authentication

T

Timothy Kaler

New member
Currently passwords are being sent as typed by the user. A better strategy would be to have a two stage login process. First the user enters their username and password and presses "login." Then the user's username is posted to the server, and the server generates a random handshake string. This handshake string is returned to the user, and the server remembers that it assigned this specific handshake string to this user's username. Then the user's password is concatenated with the handshake string, and then a hash function is applied to generate an authentication string. Then this authentication string is posted to the server.

A little convoluted, but its super easy to implement. It doesn't give a site the same security as sending passwords over an encrypted connection, but it is pretty good.

~Tim
 
Upvote 1
This suggestion has been closed. Votes are no longer accepted.
digitalpoint said:
Two-factor authentication would be better than "two-step"... Two-factor is a secondary *factor*... first factor would be you know your login/password... 2nd factor being you have physical possession of an object (like your cell phone). See this thread for more info: http://xenforo.com/community/threads/two-factor-authentication.22845/

Then it doesn't matter even if someone knows your login/password, because chances are they don't have physical possession of your device.
Click to expand...

Bingo.

Two step authentication is worthless as long as it's being handled by the same systems. You have to separate the two processes. Let's say you're going to send a random code to your cell phone via SMS. Now you have to incorporate a routine that not only talks to the login page, but there has to be a timer where that code expires. In addition, the program has to be able to take your cell number, determine who your provider is, and send the SMS message via the approved method for that provider. Any SMS snafu along the way, and chances are the random code will have expired before you receive it.

Looks nice on paper, but implementing two factor authentication for a forum login is not only cost prohibitive for the Admin (think about it for a bit, I'm sure you'll figure out why), could you imagine having to rush around trying to find your cell phone when you MUST get your hind end into the ACP due to an issue?
 
Biker said:
Anything entered via mouse click or keyboard can be read by keyloggers. 2 factor authentication would have to be totally separate from each other. Like using your cell phone and computer.

As such, I don't see this going very far.
Click to expand...

That's not necessarily the case

I think the system my bank uses is a pretty good solution to the problem:

taq0.png


(a second password where a random 3 characters from it must be entered via dropdown menu - can be read by keyloggers, man in the browser, etc. but the info they get is not enough to login)
 
Luke Foreman said:
(a second password where a random 3 characters from it must be entered via dropdown menu - can be read by keyloggers, man in the browser, etc. but the info they get is not enough to login)
Click to expand...

Ugh. All they need to do is collect information over a period of time and they'll have the answer to the entire thing.

You can't let the same system handle authentication like that. Yes, it's a bit better than a single login, but it's still easily broken if your PC is infected. And bear in mind, there are root kits in the wild that are designed specifically to steal bank information. Some of these are extremely difficult to detect.
 
Biker said:
Ugh. All they need to do is collect information over a period of time and they'll have the answer to the entire thing.
Click to expand...

True, I suppose it depends on the application. For a banking site it's largely ok due to the infrequency of logins
 
My bank uses a standalone device as the second authentication, you enter your bank card in it, then your pin number, then it gives you a code to type in (I guess that's three steps then, username/password, pin number, code). It's all very good until as Biker points out above you need to get access in a hurry and might not have the authenticating gizmo with you. Basically, I can only log in at home, because I don't take all these bits of hardware out with me. That can be a right pain sometimes.

I guess it's hard balancing security with convenience, because they are usually mutually exclusive!
 
I think the best way this could be achieved (already been said I guess) is how Dropbox and Gmail do it. After logging into the website it sends a pin code to the Google Authenticator app on your phone which you must type in within a certain amount of time.
 
digitalpoint said:
Two-factor authentication would be better than "two-step"... Two-factor is a secondary *factor*... first factor would be you know your login/password... 2nd factor being you have physical possession of an object (like your cell phone). See this thread for more info: http://xenforo.com/community/threads/two-factor-authentication.22845/

Then it doesn't matter even if someone knows your login/password, because chances are they don't have physical possession of your device.
Click to expand...
Blah .... Lets not get stuck on terminology .... Google calls it (or it did at one time) 2 step verification ... ie... 2 factor verification

tomato, tomato ...... Developers need to come up with more unique names for things.
 
login security uses IP based login

This is permissions based (so you can just apply it to your Admin)

So the user (for instance the Admin) has to have the correct IP address (and obviously login with the correct username/password combination).

If they don't have the correct IP address, then an email is auto sent to them with a "safe login link" when some one attempts to login with their username

If you have a variable IP, it's still good for accounts that aren't used that often (ie, a super admin that is kept secret)

But an option for 2 factor in the core might be nice
 
My addons are currently being refactored and in addition to supporting Yubikey for authentication Google Authenticator is being added. I have been tentatively told I should have something to play with next weekend :)
 
Biker said:
The Chinese gold farmers have been combining screen shots with their key loggers for years to steal gaming accounts. Random placement doesn't work.
Click to expand...

Anything entered via a web page can be hoaxed. Having a GUI that you have to mouse click, and for those buttons to randomise is irrelevant. The information is eventually sent to the server, catching this information and resending it, and automating it is fairly trivial with most security testing application (I know this is what they use in the rune-scape game interface, but resending this information is trivial)

2 factor with phone verification makes more sense, I've honestly never looked into Yubikey / Google Authenticator
 
Side note - It's pretty interesting how *few* users use it, when it gives such great account protection. My site has 754,000 users, of which only 45 use the two-factor authentication option.
 
digitalpoint said:
Side note - It's pretty interesting how *few* users use it, when it gives such great account protection. My site has 754,000 users, of which only 45 use the two-factor authentication option.
Click to expand...
I think for most accounts that don't have any real data or personal information (DP has Facebook + analytics linked for my account) don't necessarily believe in the necessity. Now for administrators / moderators, yeah, I can see a real need or desire to have it.
 
King Kovifor said:
I think for most accounts that don't have any real data or personal information (DP has Facebook + analytics linked for my account) don't necessarily believe in the necessity. Now for administrators / moderators, yeah, I can see a real need or desire to have it.
Click to expand...
True, but there's a lot of business transactions going on within my site... I'd think people selling stuff and using it as a marketplace would protect their accounts at least... There are 26,512 Facebook, AdSense, Analytics, PayPal, Google+ and Twitter accounts linked by users... yet only 45 bother with 2-factor auth.

I'm just a security weirdo I guess... {shrug}
 

Similar threads

xIsabel38
Add-on Login Security
2
Replies
28
Views
7K
xIsabel38
xIsabel38
Pulser
  • Suggestion Suggestion
Lack of interest Suggestion Regarding Login Security
2
Replies
26
Views
3K
Deebs
Deebs
Peter
  • Suggestion Suggestion
Lack of interest [Suggestion] Account Session/Login Security
Replies
8
Views
3K
GameNet
GameNet
Top Bottom