We have a mobile web based app at my company. Due to the nature of the application we do not want the browser on the users phone to prompt the user to save the passwords on the form a.k.a the autocomplete feature.
We managed to do that for IE and Firefox by setting the autocomplete tag to "off" but that doesnt seem to work for Opera mini (and i am guessing opera in general). I know user's can set it to off in their settings but for security reason we rather have it disabled?
Is there a workaround for this through code? the app is Java app using faces components based on an Jboss/Apache architecture.
In general, Opera lets the user configure whether it should respect autocomplete=off. On principle, users should be able to configure the password storage feature, and web sites should not be able to affect the configuration at a whim.
However, I can certainly see that for specific scenarios, like "send one-time passwords by SMS to the device Opera remembered the regular password on", this sucks. If you have stored password for a high-value site + use SMS one-time passwords as an "out of band" authentication, a lost phone becomes a major risk. The root of this problem is the assumption that an SMS constitutes "three-factor" authentication - if the stored login and the SMS is on the same device it's no longer "three-factor"..
It is tricky to try to leave users in control, while yielding to the web site when it's a really good idea to do so. Sadly, I think this is an unsolved question for now.
If you have a good use case for disabling password storage and are working on an important site, perhaps Opera Mini server admins could be persuaded to disable password manager on a site-specific basis? I don't know, but if you report it as a bug to Opera it would at least give the internal discussions some more momentum. Feel free to contact me with a reference to the bug report because I'm in a position where I could keep an eye on it ;-)
Related
I am about to implement a reception screen view of some data my product holds. This data is not extremely sensitive, but enough so that my customers do not want it just out there on the internet for all to see.
The concept is a smart tv with a built in web browser that displays a webpage hosted by my application. My application requires authentication for all other interaction, but the smart tv does not support authentication. So I would like to secure the page somehow, so it isn't just available for all to see.
The only options I see are:
Security by obscurity. I would really like to avoid this one.
IP Whitelisting. This I could do, but not all my clients have a static IP.
Enter credentials on screen. This is not really feasible and the credentials are lost on reboot. So we cannot do this.
Are there other options I just don't know about.
For lĂmited input devices like TVs where is not easy enter credentials there are some Open Source options like CPA (developed by EBU for Hbbtv Use Cases) than can work for you and you can control the e2e
CPA
Reference Implementation
The autenticacion token can be stored into your SmartTV app until its expiration or client's logout, etc.
There is also
After some research I found that the best option is the OAuth 2.0 Device Authorization Flow.
The gives the user an experience like the one used when setting up Google Chromecast or AppleTV.
https://auth0.com/docs/get-started/authentication-and-authorization-flow/device-authorization-flow
I maintain an application written in C++Builder 2009. Part of it involves using a TWebBrowser control (based on Internet Explorer) to send users to a Google login page in order to obtain an OAuth key. This has worked well for a while, but now Google, bless their hearts, has implemented some kind of security upgrade, and now my users get to a page that says "Couldn't sign you in, this browser or app may not be secure". FYI, I am already setting a Registry key that is supposed to make IE run in version 11 emulation mode.
I do have a couple of workarounds: If the user runs IE first in admin mode, signs on, leaves it up while running my application, we don't get the problem. Second, I can start up the default browser - Chrome, IE, whatever - and send them to the URL for OAuth, then it avoids the error message.
The problem with this solution is that without being able to hook into TWebBrowser events, I don't have any way to automatically retrieve the OAuth key - it is necessary for the user to cut/paste it into my application. I'd like to avoid these clunky solutions.
I should also mention, this problem occurs only for certain Gmail accounts. I have no idea what the difference is between accounts that work and don't work. Any ideas on that?
So, is there any way to configure IE or TWebBrowser so this security issue is bypassed? Or, if I was to update to a modern version of C++Builder and use TWebBrowser (or something else?), would this problem be avoided? Any other ideas to fix this problem?
The latest C++Builder supports Google's Chromium engine, it's probably safe to say it'll be compatible with Google's security upgrades.
Powerful Chromium Based WebView Component To Host Web Content In Your Delphi/C++ Builder FireMonkey Apps
I have administrated a community site for quite a while and over the time a handful people have told me that their browsers got infected with a "malware addon" that randomly inserts ad banners in websites they visit.
While they say some websites don't seem to "allow" such foreign insertions, my forum did "allow" the adding of the browser ads. (For example a malware thing called "OnlineBrowserAdvertising")
Is there a way (through HTML, Javascript...) to prohibit browsers to add something to my site? I am 100% sure that my site or my webspace are not infected. It's the visitors' browser add-ons messing with my page.
You cannot prevent browsers from injecting their own code on your end - the data is retrieved from your server and stored locally (at least temporarily) by the user's device. From the moment the data leaves your server, it is essentially out of your control.
This is purely a client-side issue that can be rectified by following standard security practices. Tell your users to keep their software up-to-date, use an antivirus/firewall solution, and not to visit or download from suspicious websites.
I've recently been doing a bit of web development so I've been thinking more about authentication and stuff. On Netflix I noticed there is an extra option on the Account page to de-authorize other devices. My girlfriend changed her password but I was still able to use it without re-entering the password till she logged out other devices.
So my question is how does authentication for Netflix work if it doesn't have to locally store your password?
Netflix uses a version of Open autentication to allow a device to access an account. Once the device has been authorized it will then have access to that account until its has been deautorized.
Chaning password doesnt matter becouse the device has autorization already probably in the form of a refresh token stored someplace. So its not storing a password its storing an autorization token of some kind.
Lets use facebook as an example: (response to comment below)
https://www.facebook.com/settings?tab=applications
This shows a list of all the crap I have loged in to using my facebook account. Now I have probably changed my facebook password sevral times it wont matter I will still have access. Some of these are mobil apps i have installed on my cellphone at one time or another. Even if i dont use them they still have access.
This doesn't technically answer the question, but is related and, I think, helpful:
You can forcefully invalidate the previously-validated tokens for other devices by going to https://www.netflix.com/ManageDevices - as soon as you go to the page it will ask if you want to sign out other devices.
(from "Someone is using my Netflix account without my permission" at https://help.netflix.com/en/node/18)
GMail can used as a SMTP server. I've written the code that does it. But as we all know GMail may occasionally authenticate using captcha (image verification as they call it). The same thing may be the cause to reject SMTP authentication.
As I've seen google shows image verification when you try to log-in for the first time from some machine. All consecutive log-ins from the same machine (to the same account) use regular login. I'm a bit afraid this captcha may also come up again for some other reasons that I can't control.
So. Is it possible to still authenticate when special measures are needed? And how?
I should also mention that logging in from the machine via web browser also enables programmatic SMTP authentication.
Try:
http://www.google.com/accounts/DisplayUnlockCaptcha
Or for Google Apps for your domain:
https://www.google.com/a/yourdomain.com/UnlockCaptcha
I can bet it's an IP based solution, so if your app if deployed somewhere else, It doesn't help.
Google doesn't seem to be particularly clear about what prompts them to block a user's account until he has successfully entered a captcha phrase. However, it's likely that this is a mechanism which is triggered when Google sees what it considers to be unusual or suspicious activity associated with your account. As a result, I would expect it to be unlikely that they will supply an option to opt out of a mechanism which is protecting both them and you, although others are welcome to find evidence to the contrary.
Various discussions of when and how this happens throw up some suggestions which you might like to try to see if they help, such as choosing a stronger password or simply changing your password. Good luck!
IMHO The right way to do this, without implementing the user consent workflow or "hacking your account's security settings", is obtaining a refresh token with the Google OAuth2.0 Playground for Offline Access. After that, you can authenticate using the OAuth 2.0 API.
I got it working after reading Nodemailer/Gmail - What exactly is a refresh token and how do I get one?