Page 1 of 1

Introducting PIN feature for backend

Posted: Fri Jul 31, 2020 5:37 pm
by JurajB
Hello joomlas,
everybody who have windows 10 know what pin feature is..
its a solution to not provide password, just a simple (and effective) check..
many of us have username and password saved into browser
feature enabling pin check (without possible "save" solution) will be greatly awaited..
[ redacted ]

Re: Introducting PIN feature for backend

Posted: Fri Jul 31, 2020 8:33 pm
by sozzled
Not interested in PINs (as an alternative to username/password). If anyone was interested in PINs for J! someone would have developed a plugin in the JED years ago. Just another useless feature that may attract one in a few thousand people, perhaps, IMO.

Re: Introducting PIN feature for backend

Posted: Sat Aug 01, 2020 7:23 am
by JurajB
I though you are at the level when 1 of 1000 are lot of people.
Of course nobody uses it when its not available.
It should solve the problem with prefilled login data so canyone can log while you are away.
Another 'extreme' is when you use plugin that extends session to forever.

Re: Next beta

Posted: Tue Aug 11, 2020 1:37 pm
by toivo
Where does that assumption come from? Is your question related to the earlier topic Introducting PIN feature for backend?

Re: Next beta

Posted: Tue Aug 11, 2020 3:33 pm
by darb
I dont see any roadmap for that or any next beta release discussions about this or any discussion when a RC could be planned to be released.

Its interesting to know though what policies set back a Joomla 4.0 rc candidate. Is it the backlog that is the showstopper and does it have to be 100% ( 80 %...) cleaned first ( and what levels ) before a RC - Toivo what you think?

Re: Next beta

Posted: Tue Aug 11, 2020 4:11 pm
by JurajB
toivo how about this:
I tried to post this feature but it was already done.
I dont know if it is the same as I mentioned.

Re: Next beta

Posted: Tue Aug 11, 2020 6:30 pm
by brian
If you read more carefully you would see that the feature had already been requested. That is all.

Re: PIN feature for J! 4

Posted: Tue Aug 11, 2020 7:30 pm
by sozzled
This is the request that @brian mentions: https://github.com/joomla/joomla-cms/issues/28390

As I wrote (and others have commented on GitHub), no-one seems to be too interested in implementing a PIN feature for Joomla! As an "optional feature", maybe someone might like to write a new authentication plugin/login module that replaces the normal username/password login mechanism but, IMO, that would be dangerous as far as site security is concerned.

If people are concerned about the "ease" by which brute force attacks are made or the "ability" to login on a device that's left lying around for others to use and logging into a website simply because they're able to access stored passwords on that device, they could always use two-factor authentication. Unless a PIN "login method used similar anti-brute force countermeasures (e.g. the three-strikes and your out rule) then site security would be at the mercy of brute force attacks. Eventually they would do one of two things:

(a) they would allow people to login; or
(b) they would prevent people (who could login) from being able to login again until the account was re-enabled.

Silly idea, IMO. I have no reason to expect that a PIN-feature will ever get off the ground for J! 4.

Re: Next beta

Posted: Tue Aug 11, 2020 7:30 pm
by brian
dont feed the troll

Re: Next beta: PIN feature for J! 4 ???

Posted: Tue Aug 11, 2020 7:42 pm
by sozzled
I fed him earlier, @brian. Apparently he's still hungry. :laugh: FYI, the forum moderators also fed him by allowing this topic to remain, separately from his earlier topic on the same subject. I asked the forum moderators to merge this topic with the OP's earlier topic and I'm still waiting for that to happen. 8)

Re: Next beta

Posted: Wed Aug 12, 2020 6:49 am
by JurajB
OK I tried little journalist style to fresh this up, but you already know this ;) Im sorry of what this became to be.
Why am I troll? OK I will change myself and take care of this in future.
Thanks,
Have a nice day
PS this isnt the same feature as I declared my ID in my previous IDEA.

Re: Next beta

Posted: Wed Aug 12, 2020 7:07 am
by JurajB
Wait guys, my original idea of this pin was an EXTRA security and the login informations will be still active (and accessible via browsers saved informations prefilled into login, so this is why you can have extra pin so the intruder is stopped and without it the intruder just click login with the browser saved prefilled creditials)

Re: Next beta

Posted: Wed Aug 12, 2020 8:09 am
by sozzled
It's not going to happen in J! 4.0.

Re: Will the next beta include PIN authentication?

Posted: Wed Aug 12, 2020 8:24 am
by JurajB
But why? Its like 2FA but little easier. It helps in the situation I was mentioning. You have browser saved backend login creditials and you dont want to take 2FA, which is longer, you just enable 4 digit pin. This pin will as opposite to a login means it not be saved, stored and offered from browser when SOMEBODY arrives to pc which has login form on the whole display, one click away from accessing your website, so he can change something, delete something or get some information. And only you know this pin so when you come from toilet nobody could login (because they dont know your pin (which will not offer one click solution fo fill in automatically (this is what Im sayin whole time).
NORMAL LOGIN WILL NOT BE ALTERED BY ANY WAY, you will still have to provide name and password (in the backend)
Just as in bank accounts, have pins to secure your money.

You just provide:
username (saved and prefilled)
password (again saved and prefilled)
and pin (which shows (if its set on) after you click login)

- its (much) safer in this AFK situation
- its much faster than 2FA
- its new so nobody know it
- its optional so nobody will be hurt

And now banks are using this, sometimes website damage can hurt as a lost of some money.
So now IS this BAD? Normal login wont be altered, just expanded.

Re: Will the next beta include PIN authentication?

Posted: Wed Aug 12, 2020 8:34 am
by sozzled
You want to stop people accessing your device while you're AFK? Simple: lock the device!

"Banks"—websites, that is—are not "using this [method]". Sure, PINs for EFTPOS have been around for ages. Have you ever left your EFTPOS card lying around while you're AFK? Come on, be serious!

"Locking" J! with a PIN is a silly idea; that's not just my opinion. This is not going to happen in J! 4.

Re: Will the next beta include PIN authentication?

Posted: Wed Aug 12, 2020 8:51 am
by JurajB
OK so banks:
I somehow login from the browser data (europe), and now Im able to send money transfer (bank transfer) to my secret account. I just can do this because after filling transfer details the bank sums things up and asks for pin (which I dont have because im intruder and this is NOT my bank account). This pin is generated from the card reader, you put there your card, visa for example it reads it you enter the number from display (generated by bank) and this card reader generates a pin for your transaction.
This is a way longer and safer that this silly pin idea, so you (probably) dont have a Joomla! Card reader in next 10 years available (what will be in 10 years? - it will start data as the money resource (well ok maybe further future). But Im talking about easy pin configurable in backend right before 2FA.
So what about bank level security? I know its not the level of protection bank provide with this generated pins from a visa card reader. Its silly compared to bank, but it still may work as a better, safer and fastly route to great backend Joomla! 4 offers.

Re: Will the next beta include PIN authentication?

Posted: Wed Aug 12, 2020 8:55 am
by JurajB
Sozzled do you know what will happen on windows 10 when you lock your computer and go AFK?
It asks you for pin.

Re: Will the next beta include PIN authentication?

Posted: Wed Aug 12, 2020 9:05 am
by sozzled
This will be my final response in this topic.

1) The next beta will not include PIN authentication. Full stop. End of discussion.
2) There are no plans to include PIN authentication for J! 4. Again, full stop.
3) I don't have this bank-asks-you-for-a-PIN-on-the-browser-after-you-go-AFK feature. Sorry. Maybe things are different where you live.
4) I do not use a PIN unlock feature with Windows 10. I deliberately disabled that feature. I use password unlocking instead. So what? It's off-topic and it has nothing to do with J!.

If there was support for your idea then, as I wrote in your other topic:
sozzled wrote:
Fri Jul 31, 2020 8:33 pm
If anyone was interested in PINs for J! someone would have developed a plugin in the JED years ago.
It hasn't happened; no-one is interested in making this happen; it won't happen.

Re: Will the next beta include PIN authentication?

Posted: Wed Aug 12, 2020 10:14 am
by JurajB
OK, as you said.

Re: Will the next beta include PIN authentication?

Posted: Wed Aug 12, 2020 2:43 pm
by JurajB
OK, guys reading this - there are technologies for this already and this functionality is redundant.
My apologies, I was in bit hurry.
Ready for next technologies, now with more skill :)