Jump to content

Archived

This topic is now archived and is closed to further replies.

GLWalker

Most Secure Login

Recommended Posts

Would never use this on a store, but for government, banks, high level etc;

 

Ever see how some login forms have this image that you pick, if the image matches then you are safe to login as you know your in the right place - supposedly.

 

So how about having an account setup where you upload the image, and in order to login, you must put in your password, plus re-upload the same image?

 

The meta-data and pixels, everything must match on the login upload 100% to the image on file.

 

After processing, the script deletes the image uploaded during login. From there their would be a set time where if your initial session times out, you may still login without image upload.

 

 


Follow the community build:

BS3 to osCommerce Responsive from the Get Go!

Check out the new construction:

Admin Gone to Total BS!

Share this post


Link to post
Share on other sites

So it's not something you know (for a pass), but something you have (possess)? Login security is generally based on something you know (password) or have (key) or something intrinsic to you (iris pattern, fingerprint, etc., which in a way is something you have, that you can't misplace). I'm not sure that possessing a key (the image file) would be any great improvement. Actually, any largish file might do the job. Certainly, someone else could get a copy of the image file, and then possess the same key as you. Plus, it would be a nuisance to have to go through a file upload every time you wanted to use the system, and you'd have to carry around the file with you (such as on a thumb drive). Granted, someone watching over your shoulder as you log in would have a harder time getting in, but as soon as they could "borrow" your thumb drive for a few minutes, all bets are off.

Share this post


Link to post
Share on other sites

I've been thinking about the need for a Password.  Can we remove it entirely ?

 

So...all a person needs is access to the registered email address.

They hit a "login" page, insert email.  

 

Press "continue".  At this point two things happen;

 

1. Email goes out with a "key", good for (say) 20 minutes.

2. Redirected to "insert your key" page.

 

If on this page, the correct  key is inserted, they are logged in.

 

See any downside?


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

The downside is mainly the bother. If I visited a site I normally buy from and they said to check my emails so I could continue to login, I would not visit the site again. There is also the possibility that the email is delayed. At busy times on a server emails can be delayed by up to four hours.

Share this post


Link to post
Share on other sites

I regularly have some email take 3 or 4 days to show up in my inbox! So effectively, you've signed on by reading an email?

 

Anyway, you're just transferring the problem from signing in to your Store account to signing in to your email account. Nothing gained except perhaps one less password to remember. Is that any different than signing on using social media accounts? Is that more or less secure? If the same physical key unlocks my home, unlocks my office, and starts my car; what happens when someone steals that key?

 

I think the intent of biometrics (iris pattern, fingerprint, etc.) is to escape having to lug around physical "keys" or having to remember lots of passwords. It remains to be seen how successful that is. Lots of people are nervous at the thought of having this personal information stored who knows where under who knows what security, and accessible by Big Business and/or the Government. Maybe they would be more willing to carry around a piece of jewelry (e.g., a signet ring) with an RFID chip embedded in it? Still, you could be unwittingly tracked throughout the day...

Share this post


Link to post
Share on other sites

Very true.  It would be annoying for a ecomm shop.

 

Some years back, I think 2008 / 2009 there was plans to implement Yubico into osC - I'm pretty sure that the whole system was coded up and tested by HPDL.  It could probably be found, and I -think- I have a Yubikey somewhere...

 

Then again, such a system is probably overkill for most ecomm shops - 2 factor authentication for a shop selling pots of jam anyone ?


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

@@burt

I've been thinking about the need for a Password.  Can we remove it entirely ?

 

So...all a person needs is access to the registered email address.

They hit a "login" page, insert email.  

 

Press "continue".  At this point two things happen;

 

1. Email goes out with a "key", good for (say) 20 minutes.

2. Redirected to "insert your key" page.

 

If on this page, the correct  key is inserted, they are logged in.

 

See any downside?

 

I typically use my work email address when shopping, and my work email is downloaded through POP3 to a workstation in my home office. I don't have access to it if I am on another computer, either at my office, or off-site.

 

So, your idea won't work for me if I'm on any other computer/phone/tablet/etc. Yes, a self imposed limitation, but a limitation none the less.

 

Malcolm


Get the latest Responsive osCommerce CE (community edition) here .

Share this post


Link to post
Share on other sites

I'm starting to think that you only need a unique key combo to access previous records/ transactions, but to place an order, it does not require a login

use the same email address, get prompted to confirm the details on record (from last order) and proceed to handover to the payment processors

a bit like better checkout works.


KEEP CALM AND CARRY ON

I do not use the responsive bootstrap version since i coded my responsive version earlier, but i have bought every 28d of code package to support burts effort and keep this forum alive (albeit more like on life support).

So if you are still here ? What are you waiting for ?!

 

Find the most frequent unique errors to fix:

grep "PHP" php_error_log.txt | sed "s/^.* PHP/PHP/g" |grep "line" |sort | uniq -c | sort -r > counterrors.txt

Share this post


Link to post
Share on other sites

My bank make me do that. I have the options to email/text/etc. I hate it, but they are banks and it has my money....damnit...

 

 

I've been thinking about the need for a Password.  Can we remove it entirely ?

 

So...all a person needs is access to the registered email address.

They hit a "login" page, insert email.  

 

Press "continue".  At this point two things happen;

 

1. Email goes out with a "key", good for (say) 20 minutes.

2. Redirected to "insert your key" page.

 

If on this page, the correct  key is inserted, they are logged in.

 

See any downside?

Share this post


Link to post
Share on other sites

My bank make me do a similar thing as the original post @@GLWalker - I had to choose an image (of a selection of about 20) and come up with a "pass phrase".  I then login using a number (that has zero relation to my bank account number, sent to me by SnailMail) and a password (of my choosing).

 

At that point I get to see the image I chose + pass phrase.  If I recognise them, all is well and I can continue.  If I don't recognise I have to call some number and I dont know what happens then as I've never had to do that.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

×