Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Most Secure Login


GLWalker

Recommended Posts

Would never use this on a store, but for government, banks, high level etc;

 

Ever see how some login forms have this image that you pick, if the image matches then you are safe to login as you know your in the right place - supposedly.

 

So how about having an account setup where you upload the image, and in order to login, you must put in your password, plus re-upload the same image?

 

The meta-data and pixels, everything must match on the login upload 100% to the image on file.

 

After processing, the script deletes the image uploaded during login. From there their would be a set time where if your initial session times out, you may still login without image upload.

 

 

Follow the community build:

BS3 to osCommerce Responsive from the Get Go!

Check out the new construction:

Admin Gone to Total BS!

Link to comment
Share on other sites

So it's not something you know (for a pass), but something you have (possess)? Login security is generally based on something you know (password) or have (key) or something intrinsic to you (iris pattern, fingerprint, etc., which in a way is something you have, that you can't misplace). I'm not sure that possessing a key (the image file) would be any great improvement. Actually, any largish file might do the job. Certainly, someone else could get a copy of the image file, and then possess the same key as you. Plus, it would be a nuisance to have to go through a file upload every time you wanted to use the system, and you'd have to carry around the file with you (such as on a thumb drive). Granted, someone watching over your shoulder as you log in would have a harder time getting in, but as soon as they could "borrow" your thumb drive for a few minutes, all bets are off.

Link to comment
Share on other sites

I've been thinking about the need for a Password.  Can we remove it entirely ?

 

So...all a person needs is access to the registered email address.

They hit a "login" page, insert email.  

 

Press "continue".  At this point two things happen;

 

1. Email goes out with a "key", good for (say) 20 minutes.

2. Redirected to "insert your key" page.

 

If on this page, the correct  key is inserted, they are logged in.

 

See any downside?

Link to comment
Share on other sites

The downside is mainly the bother. If I visited a site I normally buy from and they said to check my emails so I could continue to login, I would not visit the site again. There is also the possibility that the email is delayed. At busy times on a server emails can be delayed by up to four hours.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

I regularly have some email take 3 or 4 days to show up in my inbox! So effectively, you've signed on by reading an email?

 

Anyway, you're just transferring the problem from signing in to your Store account to signing in to your email account. Nothing gained except perhaps one less password to remember. Is that any different than signing on using social media accounts? Is that more or less secure? If the same physical key unlocks my home, unlocks my office, and starts my car; what happens when someone steals that key?

 

I think the intent of biometrics (iris pattern, fingerprint, etc.) is to escape having to lug around physical "keys" or having to remember lots of passwords. It remains to be seen how successful that is. Lots of people are nervous at the thought of having this personal information stored who knows where under who knows what security, and accessible by Big Business and/or the Government. Maybe they would be more willing to carry around a piece of jewelry (e.g., a signet ring) with an RFID chip embedded in it? Still, you could be unwittingly tracked throughout the day...

Link to comment
Share on other sites

Very true.  It would be annoying for a ecomm shop.

 

Some years back, I think 2008 / 2009 there was plans to implement Yubico into osC - I'm pretty sure that the whole system was coded up and tested by HPDL.  It could probably be found, and I -think- I have a Yubikey somewhere...

 

Then again, such a system is probably overkill for most ecomm shops - 2 factor authentication for a shop selling pots of jam anyone ?

Link to comment
Share on other sites

@@burt

I've been thinking about the need for a Password.  Can we remove it entirely ?

 

So...all a person needs is access to the registered email address.

They hit a "login" page, insert email.  

 

Press "continue".  At this point two things happen;

 

1. Email goes out with a "key", good for (say) 20 minutes.

2. Redirected to "insert your key" page.

 

If on this page, the correct  key is inserted, they are logged in.

 

See any downside?

 

I typically use my work email address when shopping, and my work email is downloaded through POP3 to a workstation in my home office. I don't have access to it if I am on another computer, either at my office, or off-site.

 

So, your idea won't work for me if I'm on any other computer/phone/tablet/etc. Yes, a self imposed limitation, but a limitation none the less.

 

Malcolm

Link to comment
Share on other sites

I'm starting to think that you only need a unique key combo to access previous records/ transactions, but to place an order, it does not require a login

use the same email address, get prompted to confirm the details on record (from last order) and proceed to handover to the payment processors

a bit like better checkout works.

KEEP CALM AND CARRY ON

I do not use the responsive bootstrap version since i coded my responsive version earlier, but i have bought every 28d of code package to support burts effort and keep this forum alive (albeit more like on life support).

So if you are still here ? What are you waiting for ?!

 

Find the most frequent unique errors to fix:

grep "PHP" php_error_log.txt | sed "s/^.* PHP/PHP/g" |grep "line" |sort | uniq -c | sort -r > counterrors.txt

Link to comment
Share on other sites

My bank make me do that. I have the options to email/text/etc. I hate it, but they are banks and it has my money....damnit...

 

 

I've been thinking about the need for a Password.  Can we remove it entirely ?

 

So...all a person needs is access to the registered email address.

They hit a "login" page, insert email.  

 

Press "continue".  At this point two things happen;

 

1. Email goes out with a "key", good for (say) 20 minutes.

2. Redirected to "insert your key" page.

 

If on this page, the correct  key is inserted, they are logged in.

 

See any downside?

Link to comment
Share on other sites

My bank make me do a similar thing as the original post @@GLWalker - I had to choose an image (of a selection of about 20) and come up with a "pass phrase".  I then login using a number (that has zero relation to my bank account number, sent to me by SnailMail) and a password (of my choosing).

 

At that point I get to see the image I chose + pass phrase.  If I recognise them, all is well and I can continue.  If I don't recognise I have to call some number and I dont know what happens then as I've never had to do that.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...