[TYPO3-english] Multiaccounting Protection - Extension - EN

Mon Aug 19 11:51:27 CEST 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey there.

If you implement kind of 2-factor authentication, I would be really interested in details about that.

My first Idea about that would be different steps. One can have 2-factor authentication, but that's not a hard requirement.

In the first step, I would go for simply killing concurrent FE sessions as soon as a single user logs in.
This could be done by just "DELETE FROM fe_sessions WHERE ses_name = 'fe_typo_user' AND sys_userid = $GLOBALS['TSFE']->fe_user['id'] AND ses_id != '$_COOKIE['fe_typo_user']'"
You clearly need to access the $_COOKIE in a more API way, and maybe the query is slightly wrong.
But that being called "onLogonSuccess" should immediately log others out that use the very same account credentials.

Ok, this way, the user can share cookie data for being logged in. But how likely is that? This depends on the sheer value of you want to protect. If there's only one in 1000 accounts that do share cookies across multiple machines, you might just ignore that. Depending on the product you want to protect, each and every protection might become obsolete as soon as your customers just download it and then redistribute it through mail.

So, you might want to investigate how likely it is for your users to change the incoming IP address. Just a little snippet that logs ip addresses per logon-session. And after that investigation, you can weigh up if it's worth the effort to do some further blocking.

And here additional stuff kicks in. Now you might want to add 2-factor authentication. But this most likely costs you something.
You can add SMS codes and a contact mobile phone number. This will cost you a view cents per logon and requires you to have an SMS gateway in place. But afaik there are gateways that are available through pure PHP library or even through SMTP, so no additional software requirement on your server. But might cost you new customers, too, because if a valid mobile phone field during account registration is required, someone might simply refuse signing up due to privacy concerns.
Or you can add Google Authenticator, which is essentially an OTP generator everyone can use his mobile phone for, as long as there is a Google Authenticator app -- which is iPhone and Android, basically. But then you block out users that don't have an iPhone or Android or just don't want to install the app. So it's quite inconvenient, too. And using the Google Authenticator requires you to have the google stuff installed on your server, which might be imposslble for shared hosting environments.

Doing such a thing like a 2-factor authentication, I would clearly make it usable without the "prohibit concurrent usage" feature, though.

Kind regards,

Stephan Schuler
Web-Entwickler

Telefon: +49 (911) 539909 - 0
E-Mail: Stephan.Schuler at netlogix.de
Website: media.netlogix.de

- --
netlogix GmbH & Co. KG
IT-Services | IT-Training | Media
Neuwieder Straße 10 | 90411 Nürnberg
Telefon: +49 (911) 539909 - 0 | Fax: +49 (911) 539909 - 99
E-Mail: info at netlogix.de | Internet: http://www.netlogix.de

netlogix GmbH & Co. KG ist eingetragen am Amtsgericht Nürnberg (HRA 13338)
Persönlich haftende Gesellschafterin: netlogix Verwaltungs GmbH (HRB 20634)
Umsatzsteuer-Identifikationsnummer: DE 233472254
Geschäftsführer: Stefan Buchta, Matthias Schmidt

- -----Ursprüngliche Nachricht-----
Von: typo3-english-bounces at lists.typo3.org [mailto:typo3-english-bounces at lists.typo3.org] Im Auftrag von Patrick Schriner
Gesendet: Montag, 19. August 2013 10:50
An: typo3-english at lists.typo3.org
Betreff: Re: [TYPO3-english] Multiaccounting Protection - Extension - EN

+1

Mobile authenticators pretty much killed MMO account sharing.

Other means: Social media integration.

Patrick

On Sun, 18 Aug 2013 22:08:41 +0200, Olivier Dobberkau <olivier.dobberkau at dkd.de> wrote:

> Am 18.08.13 20:51, schrieb Thomas P.:
>
>> Well.. I have got some ideas.
>
> well you could still try to do a 2 factor auth with a pin sent to one
> mobile at each login.
>
> olivier
>
_______________________________________________
TYPO3-english mailing list
TYPO3-english at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english

-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.3.0 (Build 8741)
Charset: utf-8

wpUDBQFSEeqgpp0IwsibV8MBCKZsA/9hZrNcoNnglbKHCvytuElgvNvKcEe8Cm59
z8vTYniTsb/o+iTQTbKuudWViu5DbFgrz5Y9hCNNszHwpScrkRsV3Vp09KM7XKZB
wm2ijRVMCvy6dMJWboUcH7ReTc/c1+SymexsZod0rpDSoBWbALQ2o2gWElGpb9Ol
6lTE3R1plA==
=JsZS
-----END PGP SIGNATURE-----