Nasomi Community FFXI Server :: One time password or Authorize login

Gender identification is prohibited. There is no need for anyone to know your gender in this world.

Zigma wrote:

cthalupa wrote:

Google's is free

lol, yes. I've never used Google but you can use something like freeradius/google's pam but in order to do that -- you'll still need something to hook it into it. In other words, Nasomi's authentication method would need to support, say, RADIUS, in order for such a thing to work.

No you don't. You can add Google Authenticator support incredibly easily to just about anything. Google Auth codes are just RFC6238 and HMAC - you don't need PAM or RADIUS or any other sort of heavyweight auth method to support it.

There's a bunch of existing RFC6238 implementations for PHP and basically every other language that would be very easy to adapt. e.g. https://github.com/mindgruve/two-factor-authentication / https://github.com/Voronenko/PHPOTP/wik ... entication

You do not need it, but that's like saying -- Let me put a lock in my front door and leave the garage door open. I agree that implementation of any 2FA/MFA system, homegrown or not, is incredibly easy to do but making it secure is not as trivial as one might think. Google Authenticator by itself is just terrible. The fundamental argument that we can both agree on is that something -- anything -- is better than nothing. RADIUS or even OATH is not heavy. Any 2FA/MFA implementation should always be considered to work with RADIUS or even OATH as it complies with proven standards. My overall two cents are around modern 2FA/MFA than outdated 2FA/MFA.

Zigma wrote:

Do you think that a quick implementation of Google Authenticator on top of the current system would make things worse than they currently are, or better?

cthalupa wrote:

Zigma wrote:

Do you think that a quick implementation of Google Authenticator on top of the current system would make things worse than they currently are, or better?

I stand by what I said earlier. Something is always better than nothing.

On a personal note, I tip my hat to Nasomi for doing this all for free. As someone who understands how these things work, I personally could not imagine doing all of this during my free time.

Edit: I just saw the poll -- I am at awe by the sheer amount of people who would not want something like this introduced .. cray

Email sent with 6 digit code to login to "forum" would be enough I believe. Using it to log into the game would just get annoying after a few random dc's or zone crashes. A section under the forum account settings page to show "last login" (edit:) last time character was logged in (end edit) would help also, so if you see someone has been nosing around you can report it and change ur password right away.

Author:	Halcyone [ Fri Oct 04, 2019 4:39 pm ]
Post subject:	Re: One time password or Authorize login
I cannot cast my vote in good faith. Rules & Regulations; Paragraph8, Line2: Quote: Gender identification is prohibited. There is no need for anyone to know your gender in this world. All those who voted for option 1 are now in violation of Nasomi code and should be sent to Mordion.

Author:	Zigma [ Fri Oct 04, 2019 5:47 pm ]
Post subject:	Re: One time password or Authorize login
cthalupa wrote: Zigma wrote: cthalupa wrote: Google's is free lol, yes. I've never used Google but you can use something like freeradius/google's pam but in order to do that -- you'll still need something to hook it into it. In other words, Nasomi's authentication method would need to support, say, RADIUS, in order for such a thing to work. No you don't. You can add Google Authenticator support incredibly easily to just about anything. Google Auth codes are just RFC6238 and HMAC - you don't need PAM or RADIUS or any other sort of heavyweight auth method to support it. There's a bunch of existing RFC6238 implementations for PHP and basically every other language that would be very easy to adapt. e.g. https://github.com/mindgruve/two-factor-authentication / https://github.com/Voronenko/PHPOTP/wik ... entication You do not need it, but that's like saying -- Let me put a lock in my front door and leave the garage door open. I agree that implementation of any 2FA/MFA system, homegrown or not, is incredibly easy to do but making it secure is not as trivial as one might think. Google Authenticator by itself is just terrible. The fundamental argument that we can both agree on is that something -- anything -- is better than nothing. RADIUS or even OATH is not heavy. Any 2FA/MFA implementation should always be considered to work with RADIUS or even OATH as it complies with proven standards. My overall two cents are around modern 2FA/MFA than outdated 2FA/MFA.

Author:	disposablehero [ Fri Oct 04, 2019 5:48 pm ]
Post subject:	Re: One time password or Authorize login
Even just starting with authorize if ya login from a different ip sounds sweet.

Author:	cthalupa [ Fri Oct 04, 2019 10:24 pm ]
Post subject:	Re: One time password or Authorize login
Zigma wrote: You do not need it, but that's like saying -- Let me put a lock in my front door and leave the garage door open. I agree that implementation of any 2FA/MFA system, homegrown or not, is incredibly easy to do but making it secure is not as trivial as one might think. Google Authenticator by itself is just terrible. The fundamental argument that we can both agree on is that something -- anything -- is better than nothing. RADIUS or even OATH is not heavy. Any 2FA/MFA implementation should always be considered to work with RADIUS or even OATH as it complies with proven standards. My overall two cents are around modern 2FA/MFA than outdated 2FA/MFA. Do you think that a quick implementation of Google Authenticator on top of the current system would make things worse than they currently are, or better?

Author:	Zigma [ Sat Oct 05, 2019 12:13 am ]
Post subject:	Re: One time password or Authorize login
cthalupa wrote: Zigma wrote: You do not need it, but that's like saying -- Let me put a lock in my front door and leave the garage door open. I agree that implementation of any 2FA/MFA system, homegrown or not, is incredibly easy to do but making it secure is not as trivial as one might think. Google Authenticator by itself is just terrible. The fundamental argument that we can both agree on is that something -- anything -- is better than nothing. RADIUS or even OATH is not heavy. Any 2FA/MFA implementation should always be considered to work with RADIUS or even OATH as it complies with proven standards. My overall two cents are around modern 2FA/MFA than outdated 2FA/MFA. Do you think that a quick implementation of Google Authenticator on top of the current system would make things worse than they currently are, or better? I stand by what I said earlier. Something is always better than nothing. On a personal note, I tip my hat to Nasomi for doing this all for free. As someone who understands how these things work, I personally could not imagine doing all of this during my free time. Edit: I just saw the poll -- I am at awe by the sheer amount of people who would not want something like this introduced .. cray

Nasomi Community FFXI Server https://na.nasomi.com/forum/

One time password or Authorize login https://na.nasomi.com/forum/viewtopic.php?f=6&t=12270	Page 3 of 4

Author:	nebulacloud [ Sat Oct 05, 2019 12:19 am ]
Post subject:	Re: One time password or Authorize login
Zigma wrote: cthalupa wrote: Zigma wrote: You do not need it, but that's like saying -- Let me put a lock in my front door and leave the garage door open. I agree that implementation of any 2FA/MFA system, homegrown or not, is incredibly easy to do but making it secure is not as trivial as one might think. Google Authenticator by itself is just terrible. The fundamental argument that we can both agree on is that something -- anything -- is better than nothing. RADIUS or even OATH is not heavy. Any 2FA/MFA implementation should always be considered to work with RADIUS or even OATH as it complies with proven standards. My overall two cents are around modern 2FA/MFA than outdated 2FA/MFA. Do you think that a quick implementation of Google Authenticator on top of the current system would make things worse than they currently are, or better? I stand by what I said earlier. Something is always better than nothing. On a personal note, I tip my hat to Nasomi for doing this all for free. As someone who understands how these things work, I personally could not imagine doing all of this during my free time. Edit: I just saw the poll -- I am at awe by the sheer amount of people who would not want something like this introduced .. cray there was a big ban recently, bunch of cry babies who stalk the forums trying to make things look bad. Don't worry the other 1k+ other people are online enjoying the game edit ;; the forums were never big on having lots of topics, only time people visit is when drama happens. We know nas will make the right decisions and fix things. He's a 1 man show.

Author:	The_Carrot [ Sat Oct 05, 2019 6:09 pm ]
Post subject:	Re: One time password or Authorize login
Email sent with 6 digit code to login to "forum" would be enough I believe. Using it to log into the game would just get annoying after a few random dc's or zone crashes. A section under the forum account settings page to show "last login" (edit:) last time character was logged in (end edit) would help also, so if you see someone has been nosing around you can report it and change ur password right away.

Author:	nebulacloud [ Sat Oct 05, 2019 7:22 pm ]
Post subject:	Re: One time password or Authorize login
The_Carrot wrote: Email sent with 6 digit code to login to "forum" would be enough I believe. Using it to log into the game would just get annoying after a few random dc's or zone crashes. A section under the forum account settings page to show "last login" (edit:) last time character was logged in (end edit) would help also, so if you see someone has been nosing around you can report it and change ur password right away. Having to use it after a d/c, zone crash when a hnm crashes and people are rushing back in to try and claim and situations like that would suck. I thnk when your I.P changes or something like that, you should have to verify something like this to that nature. Would be nice to get the verification through something other than your email, since hackers could get to it. Maybe an app like steam verification? Gonna assume someone who hacks your account, probably has access to your email. There's gotta be a solution to all of this though. If someone does have your password (brute force? or hacks the site?) without using your email, then the verification through email would be nice What about verification sends a text to a phone number? People without a phone could setup their own google voice account for receive them.

Author:	Mosvani [ Mon Oct 07, 2019 4:38 am ]
Post subject:	Re: One time password or Authorize login
How is this 2 factor authentication? You are just using 1 password. Is the idea that the website is more secure to log into than whatever is being used now?

Author:	The_Carrot [ Mon Oct 07, 2019 6:40 am ]
Post subject:	Re: One time password or Authorize login
Stamping some extra security on the forum site would keep people from hijacking the "change password" function, and allow people to mitigate damage to game accounts (to an extent) what's being used now has no real verification of identity other than username and password. So 1 breach is all it takes to ruin your account. Using a 2nd authentication like random verification code being sent (like almost everything else on the web) would at least notify you that someone is attempting to get in. Having a "last time character" was logged in would give you an idea of suspicious activity also, which would be much more relevant than just seeing your stuff sold on the auction house, while you're locked out if your own account, while spamming nasomi for help, and hoping for a quick reply. I have other ideas also but eh~ I think having 2 factor authentication on forum account would be enough to stop most of it.

Page 3 of 4	All times are UTC
Powered by phpBB® Forum Software © phpBB Limited https://www.phpbb.com/