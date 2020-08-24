@Gandalf
But are there other identifiers apart from ip?
We lost our conversion because he sounded something like can be archived via php but maybe not system files or code or user agent but something similar
I’m not sure there is, and IP is not unique anyway. That’s why you tend to ask people to log in.
But then you don’t say what you’re trying to achieve…
What is the real problem you are trying to solve?
Am just trying to archive a strong loggin system, atleast secure enough for financial site.
Use of session and session hijacking gives me worries.
I also want to secure admin loggin based on certain elements
Hackers steal password and login details, they hijack session id.
Apart from google authenticator or sms otp that secures login.
Am looking for something built inside a computer that requires you must login through that computer to access admin rights
Why do these options not work for you?
Are they flawless? Like 100% secured?
I used them on wordpress back then but got penetrated couldn’t tell how
No method of security is every 100%, that is why it is crucial to encourage users to keep strong passwords and change them often. While these methods are not foolproof, they are very good.
The various financial sites I use (as a customer) are dopping cookies on my machine, remembering what browser I use, etc, and flagging any changes from login to login by making me verify I’m me though sending me a code in email/sms/phone call.
The general theorum goes that there are Three Factors of Authentication:
Something you Know;
Something you Have; and
Something you Are.
The idea behind Two-Factor (or Multi-Factor) authentication is that it’s more secure to require multiple factors in order to access secure information.
When in doubt, to the youtubes…
Tom Scott discusses Multifactor Authentication
You would have to, effectively, write an authenticator app that runs on the user’s computer. A browser is not that app.
It’s worth pointing out that an IP address isnt a unique identifier either.
Exactly. Think VPN.
Exactly what i had in mind, even if is just for the admin account.
Then i implement sms, and google auth for users with the use of cookie to track login from different computer and query them for more identification when it does happen.
Thanks everyone your contributions went a long way in addressing my needs.
But someone can not have same ip address when accessing a site?
Like same ip visiting my site from different computers?
Yes i will have dedicated vpn for admin accounts
Nah, I meant that people using the same VPN will potentially have the same IP address and that IP addresses are therefore not a perfect unique identifier.
But mostly the problem is not in the process of authenticating loggin details, is most times after the user has pass the login validation process including google auth and sms.
So far what we have discussed so far is the validation process to login a user.
But thats not where the big problem is,
An attacker waits for him to just steal his session after the user have gone pass the validation process.
This is how is been done.
A hacker installs a rat on your system.
Then waits till you login, he will know that you are logged in if you visit certain dashboard pages.
Then hijacks your session and access your account with your already active session.
So hanging everything to session And session destroy is something i am finding uncomfortable with.
Thats why i need something else to merge with session.
Not necessarily for validation purpose but for the life span of an already validated sessions or account.
Is then of no use, because my security workflow can only allow one ip for a session and for an active user account.
If someone logs in with that ip no other account can log in with same ip until the first one logs out.
Thats why am more concern about how this ip came and how really does internet service providers assign their ip to users.
If we are on a shared wifi or using same vpn means we are on same ip?
That’s where the weakness lies, not in the web apps but in allowing someone to install a rat on your computer.
The era of keyloggers are gone bcs sms and Google auth took care of them perfectly.
Lets put head and combact session issues or find an alternative.
Out of the million users of your site only 1% knows what rat is, only few can prevent it.
Even small java code can run certain stuffs on a users Browser.
Anti virus only fight known rats, before they discover a new rat alot of harm have been done
If some friends in a room using same ip then one will tell the other wait i want to log in to this site when am done you can log in. Thats understandable enough
But for someone in new york in street A and another person in street B to have same ip because they bought data subscriptions from same data vendor is a huge mess.
Atleasts something should differ