Jump to content


Tyler Loewen

  • Content Count

  • Joined

  • Last visited

  1. Being able to reset an account's 2FA via email allows for an exploit if a hacker is able to compromise the user's email address. If the user's email address is compromised, the hacker will be able to reset both the account's password and 2FA thus having the ability to access the account. An available solution is to require contacting the administrator to reset the user's 2FA. But this requires an admin's time plus a hacker could still social engineer the admin. Having 2FA backup codes would make the 2FA system less exploitable while not requiring an admin's time to reset the 2FA. I think this solution would be beneficial to Invision Power's commercial users and high traffic web sites.
  2. 1. No, not with your plugin, but unless the one reset handling module is extended, the user get automatically logged in upon clicking the password reset confirmation link (positive of this). I don't know the exact mechanism of your plugin, but I figured I'd ask just in-case. Maybe your plugin does have protection against this. I haven't purchased it so I wouldn't know. Code run upon clicking a valid password reset link: /* Reset the failed logins storage - we don't need to save because the login handler will do that for us later */ $member->failed_logins = array(); /* Now reset the member's password */ foreach ( \IPS\Login::handlers( TRUE ) as $handler ) { /* We cannot update our password in some login handlers, that's ok */ try { $handler->changePassword( $member, $values['password'] ); } catch( \BadMethodCallException $e ){} } /* Delete validating record and log in */ \IPS\Db::i()->delete( 'core_validating', array( 'member_id=? AND lost_pass=1', $member->member_id ) ); /* Log in and redirect */ \IPS\Session::i()->setMember( $member ); \IPS\Output::i()->redirect( \IPS\Http\Url::internal( '' ) ); 5. Yes, a successful brute-force via the login form may be extremely unlikely, but still as possible as say winning a large jackpot multiple times in a row. A dictionary attack could also be used.I can't remember if the flood check has a counter per IP address, or a global counter for failed logins. If the former, then a large botnet can be used to expedite this process. Nevertheless, if a hacker is able to test a password for an account to confirm that the password is correct, then as mentioned the hacker will be able to confirm the target's password. This can be dangerous because the target could then be suspect-able to getting accounts at other sites compromised. Additionally, attack surface area of IPBoard could be increased. Not too big of a concern as the possibility of this actually being exploited is slim to none, but I like to leave nothing open. I'd also be neat to have the UCP allow the user to have settings which [dis]allow changes to the user's password or email to require the OTP.
  3. Are you re-formatting or replacing all characters which don't make up a valid URL? Using urlencode or a similar function might solve these problems. Questions: When resetting a password via email, visiting the reset link will automatically login the user without the need for the user to enter any login credentials, potentially by-passing the 2FA prompt. Does this have protection against that? This is the issue gotoel was describing. Will you add the ability to create 16+ character backup codes in the case the user loses access to their authentication device? Is it possible to generate a new secret key granted the user enters a valid OTP? Is the secret key hidden/QR code hidden after activating the 2FA? Is the prompt for the OTP asked for after successfully logging in with the correct username and password for the user? This is a security flaw as it allows hackers to guess or bruteforce a user's password, even if the hacker won't be able to gain full control of the account because of the lack of having a valid OTP.
  • Create New...