The various financial sites I use (as a customer) are dopping cookies on my machine, remembering what browser I use, etc, and flagging any changes from login to login by making me verify I’m me though sending me a code in email/sms/phone call.
The general theorum goes that there are Three Factors of Authentication:
Something you Know;
Something you Have; and
Something you Are.
The idea behind Two-Factor (or Multi-Factor) authentication is that it’s more secure to require multiple factors in order to access secure information.
When in doubt, to the youtubes…
Tom Scott discusses Multifactor Authentication
You would have to, effectively, write an authenticator app that runs on the user’s computer. A browser is not that app.
It’s worth pointing out that an IP address isnt a unique identifier either.
Exactly. Think VPN.
Exactly what i had in mind, even if is just for the admin account.
Then i implement sms, and google auth for users with the use of cookie to track login from different computer and query them for more identification when it does happen.
Thanks everyone your contributions went a long way in addressing my needs.
But someone can not have same ip address when accessing a site?
Like same ip visiting my site from different computers?
Yes i will have dedicated vpn for admin accounts
Nah, I meant that people using the same VPN will potentially have the same IP address and that IP addresses are therefore not a perfect unique identifier.
But mostly the problem is not in the process of authenticating loggin details, is most times after the user has pass the login validation process including google auth and sms.
So far what we have discussed so far is the validation process to login a user.
But thats not where the big problem is,
An attacker waits for him to just steal his session after the user have gone pass the validation process.
This is how is been done.
A hacker installs a rat on your system.
Then waits till you login, he will know that you are logged in if you visit certain dashboard pages.
Then hijacks your session and access your account with your already active session.
So hanging everything to session And session destroy is something i am finding uncomfortable with.
Thats why i need something else to merge with session.
Not necessarily for validation purpose but for the life span of an already validated sessions or account.
Is then of no use, because my security workflow can only allow one ip for a session and for an active user account.
If someone logs in with that ip no other account can log in with same ip until the first one logs out.
Thats why am more concern about how this ip came and how really does internet service providers assign their ip to users.
If we are on a shared wifi or using same vpn means we are on same ip?
That’s where the weakness lies, not in the web apps but in allowing someone to install a rat on your computer.
The era of keyloggers are gone bcs sms and Google auth took care of them perfectly.
Lets put head and combact session issues or find an alternative.
Out of the million users of your site only 1% knows what rat is, only few can prevent it.
Even small java code can run certain stuffs on a users Browser.
Anti virus only fight known rats, before they discover a new rat alot of harm have been done
If some friends in a room using same ip then one will tell the other wait i want to log in to this site when am done you can log in. Thats understandable enough
But for someone in new york in street A and another person in street B to have same ip because they bought data subscriptions from same data vendor is a huge mess.
Atleasts something should differ
Think about a big corporate office, 300+ users connected to the internet via a single gateway. That gateway may well present the same external IP to the internet, even though the users computers obviously all have unique IPs. They can’t all talk to each other to check when they can use your site. Another scenario is that same corporate office, but they have a terminal server, and everyone in the place uses a thin client for their desktop. Again, all the same IP when they browse, because it presents the server address, not the client.
I used to use IP addresses to try to track unique users (for site traffic, not anything important like financial data) until I very quickly learned that it’s a waste of time.
Is wrong to use office connection to access banking sites or the likes.
And so sad we can’t get this internal unique ips apart from the external ones?
But on the other hand, it would require the server to be able to access details about the client, which is a major security issue that would probably be disabled by most IT departments if it were possible. And it would be different in each scenario - you can get the Windows Terminal Server client IPs, if you’re running on the terminal server, but that wouldn’t get you a VPN client IP. And it would probably be a non-routable LAN address anyway, so no use. When we installed client sites, they were all on 192.168.87.0 networks, so that wouldn’t be any use for you.
Not if it’s your office. Or your finance department accessing the site. Plenty of companies have an internet policy that allows such things for their employees as long as it’s done in break time and doesn’t affect their work.
You want a system that is 100% hackerproof, then isolate it from the world. Noone touches it, no connections in or out, nothing.
What’s that? It can’t do its job without connections? Without people touching it? Ah well, there goes your 100%…
You’d like the internet to have access to your private network’s routing information? Not to mention that these internal IP’s aren’t unique either. Most home intranet pools use a DHCP setup, and what’s Jimmy’s intranet IP today, may be Cindy’s intranet IP tomorrow.
You seem to be of the belief that your administrator will always have the same IP; They won’t. If they move house, if their ISP renews the lease on their IP address, if there’s a power outage… suddenly your administrator has a different IP.
The same thing goes for a MAC address of the network card they are using. If the administrator gets a new Network Card in their computer…or a new computer… poof; it changes.
Well i will stick with the norm atleast for now pending when gururs will invent something am looking for.
Thanks everyone for your immense contributions, I love you all
Just wanted to point out that any incoming data can be spoofed without much effort. This includes IP addresses.
Security in itself can only be handled so far. If you don’t encourage your users to do the same, there’s always going to be flaws. There is always 2 sides to this; security vs user friendly. You can’t have it both ways. Either it’s 100% extremely secure (what @m_hutley is hinting at) and has 0% of user friendly features or its 0% security and 100% user friendly features. There is no in-between. Even if you end up finding such a solution, you’re going to have to throw user friendly out of the solution. If it’s in the solution then it’s not 100% secure as you think. You have to sacrifice security for convenience.