Why separate the one time password of 2FA as another step? - authentication

Many websites now support 2FA and many of them ask users to use an App for the OTP. From the tool I use, like 1password, it seems the OTP is updating all the time regardless to I have logged in the website or not. My question is, since the OTP is always there, why it is split into a standalone step to enter the code instead of asking users to enter it along with the username and password?

Related

Logging in to website accounts using HTTP requests, e-mail and password

Suppose I have an account created on a website (in specific, a PS Network account or Google account), and I only know the login email, but not the password (with no access to the Google account in the PSN case).
Is there a way for me to verify if a given password is the correct one using only HTTP requests or something similar using code? This is to save me the time of trying multiple passwords and having to wait for a server response until I find the right one.
Details:
I'm not trying to hack into someone's account.
I tried to log in to a secondary PSN account I created years ago but I didn't know the password, only the email (I also created a specific google account/email for this purpose, so I don't remember its password either). Even though I don't remember the exact password, I know which combinations of specific words and numbers I might have used back then. But I want to run through "all" the possible combinations with code, instead of doing it manually, to save time and effort. Is there any URL to which I can make POST requests to try and log in using only email and password in the request body, and verify if login was successful? (either on PSN or Google, either one will give me my PSN account back)
Thanks in advance
I tried looking for REST API and URLs that allow me to do this, but it seems to me that Google in specific has gone strict on this, requiring more than just address and password. For the PSN account, I tried to sniff around using developer tools to watch which URLs are requested when I try to login using the Sony website interface, but I can't understand which requests are doing what.
What you want to do is a popular method for hacking account access. it is called bruit force where by the hacker you continues to try passwords over and over again until they gain access. A dictionary file is often used containing combinations of specific words and numbers
No system is going to have an endpoint that will make it easier for hackers to gain access to user accounts by force.
May I suggest using a reset password account recovery option available through most login services these days.
instead of trying to bruit force your way in. Most authorization servers will lock an account after 5 bad attempts.

Signed up and hit remember me- Avoid asking user which account from list in Google OAuth and instead auto sign in to the specific remembered email

I set up an account creation page with a remember me and a jwt token verification via WorkOS. There is no password creation and just this verification (plan to add in password later if needed as the country uses OTP more than passwords)
A new user creates an account and selects remember me (using JavaScript).
The next time I sign in, I have my account populated like a*****#gmail.com.
A lot of websites I have seen have it so that when you click on this email, it goes to the full list of all gmails and you have to select that email again.
I’ve seen this remember me automatically sign in only if the user saves a password (like Facebook - see other profile accounts in sign in and you click and go in directly). But above mentioned this country doesn’t prefer passwords as much as OTP. I don’t have a password yet and really looking to avoid adding it in unless it is absolutely necessary to do this.
My goal: I don’t want to see this full screen of all gmail accounts in Google OAuth also referred to in documentation as the Account picker. I just want it to automatically sign in to the specific remembered account selected, assuming I have that gmail password saved.if the user doesn’t have the gmail password saved then, they will be directed to that specific emails sign in screen
How do I bypass this full list of gmail accounts and manual selection and just automatically sign in to my remembered email account?
I’ve looked at older answers on here but nothing seems to fully handle this. I’m wondering if this will help me achieve this.
https://developers.google.com/identity/gsi/web/guides/automatic-sign-in-sign-out
I’ve tried just having the email remembered and then they click on it and it asks do you want to sign in via gmail or magic link? That works and is better than not providing the remember me at all, but it’s only half way.

Alternative ways to authenticate

I was wondering if anybody knows a way to authenticate a user without asking for a password. I have searched but haven't found a thing. I'm not looking for facebook authentication or something like that.
Maybe you could help me.
yes, do a two factor authentication without the first factor. So when people register for your application, have them chose email, or sms, or both, as a verification method. Verify their identity by sending an email (or sms) with a code they have to enter.
Once you verify their ownership of the email/phone number, going forward, every time they want to login, they enter their email (or phone number) and click "send me code", you send them a one time code that expires in 5 minutes or upon login, they enter the code and login.
Next time they want to login, ditto. This way you are not storing/hashing/encrypting passwords that can be hacked/stolen. It is their responsibility to maintain security of their email/phone, not yours.

Verifying card security code for returning customer

Is there a way to re-validate a card using the card security code? I'd like to offer users to login with Facebook or to remember their login otherwise and I want to add an additional step during checkout to verify that the user is in possession of the credit card. I think some websites ask for the CSC again during checkout.
I could also ask for the user's password again, but I don't think that can work if the user logged in with Facebook.
Any suggestions around this?
Alright, so it seems as if this kind of verification is not currently possible with Balanced. There is no API method to re-validate a card. Here are the solutions I came up with, just in case someone else has a similar problem:
Using a different piece of information to verify the user (card expiration date, etc). But that doesn't seem very common and would probably scare away some users.
Indeed forcing the user to enter the password again. No problem if the user uses a site-local login. In case the user is logged in using Facebook, there seems to be a way to force a re-authentication: https://developers.facebook.com/docs/howtos/login/server-side-re-auth/

Forgot Password: what is the best method of implementing a forgot password function?

I'm wondering what the best method is for creating a forgot password function on a website. I have seen quite a few out there, here are a few or combination of:
passphrase question / answer (1 or more)
send email with new password
on screen give new password
confirmation through email: must click link to get new password
page requiring user to enter a new password
What combination or additional steps would you add to a forgot password function? I'm wondering about how they request the new password and how they end up getting it.
I'm operating on the principal that the password cannot be retrieved; a new password must be given/generated.
Edit I like what Cory said about not displaying if the username exists, but I'm wondering what to display instead. I'm thinking half the problem is that the user forgot which email address they used, which displaying some sort of "does not exist" message is useful. Any solutions?
I personally would send an email with a link to a short term page that lets them set a new password. Make the page name some kind of UID.
If that does not appeal to you, then sending them a new password and forcing them to change it on first access would do as well.
Option 1 is far easier.
A few important security concerns:
A passphrase question / answer actually lowers security since it typically becomes the weakest link in the process. It's often easier to guess someone's answer than it is a password - particularly if questions aren't carefully chosen.
Assuming emails operate as the username in your system (which is generally recommended for a variety of reasons), the response to a password reset request shouldn't indicate whether a valid account was found. It should simply state that a password request email has been sent to the address provided. Why? A response indicating that an email does/doesn't exist allows a hacker to harvest a list of user accounts by submitting multiple password requests (typically via an HTTP proxy like burp suite) and noting whether the email is found. To protect from login harvesting you must assure no login/auth related functions provide any indication of when a valid user's email has been entered on a login/pass reset form.
For more background, checkout the Web Application Hackers Handbook. It's an excellent read on creating secure authentication models.
EDIT: Regarding the question in your edit - I'd suggest:
"A password request email has been
sent to the address you provided. If
an email doesn't arrive shortly,
please check your spam folder. If no
email arrives, then no account exists
with the email you provided."
There's a trade-off being made here between ease of use and security. You have to balance this based on context - is security important enough to you and your users to justify this inconvenience?
Send email with new password.
FORCE a password change when they arrive and key in the new password.
This ensures that the person who wanted the password will be the only only getting in to the account.
If the email is sniffed, someone could get in to the account (of course), but the real party will discover this immediately (as their password you just sent them doesn't work).
Also send confirmations of password changes to the users.
If someone get the new password, and then an email saying "thanx for changing the password", they're going to be rather puzzled and will talk to an admin if they didn't do it.
Using the email verification/password reset link will give you better security.
If you look around this is how most websites do it and people are pretty used to this verification, so I'd recommend using this type of authentication.
I would think (gbrandt's) Option 2 would be a great method if it is combined with some personal information you already have for the user. i.e date of birth.
When the user requests a new password (reset) via entering his email address, he also has to enter a correct date of birth (or something else) before the password is reset and a new one is emailed to the user.
Only those who know him well can possibly annoy him by resetting his password! It cant be a stranger or a bot
Upon 5 or 7 bad email-address & date of birth combinations the user is emailed that his password has been requested to be reset and has failed due to an incorrect credential. Then password resetting for that account is suspended for 24hrs or any desired period.
(if too many users contact the webadmin regarding this email he'll know someone is trying to maliciously attain information from your website/app)
What do you guys think?
Option 1. is not a good idea, as generally his becomes easily guessable by others. Sarah Palin's personal email (Yahoo I think) was hacked in this way by a third party.
The other options are better and previous posts have outlined the detail.
The idea I was thinking about was to sign the data in the link that is sent to the user. Then, when the user clicks the link and the server receives the call, the server also gets the encrypted part and can validate that the data was untouched.
I have implemented a JAVA project for this use case. It is on GitHub, open source. It answers your question perfectly... implemented in Java.
As for the link in the email - it generates the link, plus validates it upon usage.
There are explanation for everything (and if something is missing - let me know...)
Have a look: https://github.com/OhadR/Authentication-Flows
See a Demo here.
This is the client web-app that uses the auth-flows, with the README with all explanations. it directs you the implementation: https://github.com/OhadR/authentication-flows/tree/master/authentication-flows