Am just trying to archive a strong loggin system, atleast secure enough for financial site.
Use of session and session hijacking gives me worries.
I also want to secure admin loggin based on certain elements
Hackers steal password and login details, they hijack session id.
Apart from google authenticator or sms otp that secures login.
Am looking for something built inside a computer that requires you must login through that computer to access admin rights
The various financial sites I use (as a customer) are dopping cookies on my machine, remembering what browser I use, etc, and flagging any changes from login to login by making me verify I’m me though sending me a code in email/sms/phone call.
The general theorum goes that there are Three Factors of Authentication:
Something you Know;
Something you Have; and
Something you Are.
The idea behind Two-Factor (or Multi-Factor) authentication is that it’s more secure to require multiple factors in order to access secure information.
When in doubt, to the youtubes… Tom Scott discusses Multifactor Authentication
You would have to, effectively, write an authenticator app that runs on the user’s computer. A browser is not that app.
It’s worth pointing out that an IP address isnt a unique identifier either.
Exactly what i had in mind, even if is just for the admin account.
Then i implement sms, and google auth for users with the use of cookie to track login from different computer and query them for more identification when it does happen.
Thanks everyone your contributions went a long way in addressing my needs.
But mostly the problem is not in the process of authenticating loggin details, is most times after the user has pass the login validation process including google auth and sms.
So far what we have discussed so far is the validation process to login a user.
But thats not where the big problem is,
An attacker waits for him to just steal his session after the user have gone pass the validation process.
This is how is been done.
A hacker installs a rat on your system.
Then waits till you login, he will know that you are logged in if you visit certain dashboard pages.
Then hijacks your session and access your account with your already active session.
So hanging everything to session And session destroy is something i am finding uncomfortable with.
Thats why i need something else to merge with session.
Not necessarily for validation purpose but for the life span of an already validated sessions or account.
Is then of no use, because my security workflow can only allow one ip for a session and for an active user account.
If someone logs in with that ip no other account can log in with same ip until the first one logs out.
Thats why am more concern about how this ip came and how really does internet service providers assign their ip to users.
If we are on a shared wifi or using same vpn means we are on same ip?