Introducting PIN feature for backend Topic is solved
Moderator: ooffick
Forum rules
- JurajB
- Joomla! Guru
- Posts: 624
- Joined: Fri Oct 02, 2015 3:28 pm
Introducting PIN feature for backend
Hello joomlas,
everybody who have windows 10 know what pin feature is..
its a solution to not provide password, just a simple (and effective) check..
many of us have username and password saved into browser
feature enabling pin check (without possible "save" solution) will be greatly awaited..
[ redacted ]
everybody who have windows 10 know what pin feature is..
its a solution to not provide password, just a simple (and effective) check..
many of us have username and password saved into browser
feature enabling pin check (without possible "save" solution) will be greatly awaited..
[ redacted ]
Last edited by toivo on Fri Jul 31, 2020 11:14 pm, edited 1 time in total.
Reason: mod note: manual signature removed, please read the forum rules!
Reason: mod note: manual signature removed, please read the forum rules!
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Introducting PIN feature for backend
Not interested in PINs (as an alternative to username/password). If anyone was interested in PINs for J! someone would have developed a plugin in the JED years ago. Just another useless feature that may attract one in a few thousand people, perhaps, IMO.
- JurajB
- Joomla! Guru
- Posts: 624
- Joined: Fri Oct 02, 2015 3:28 pm
Re: Introducting PIN feature for backend
I though you are at the level when 1 of 1000 are lot of people.
Of course nobody uses it when its not available.
It should solve the problem with prefilled login data so canyone can log while you are away.
Another 'extreme' is when you use plugin that extends session to forever.
Of course nobody uses it when its not available.
It should solve the problem with prefilled login data so canyone can log while you are away.
Another 'extreme' is when you use plugin that extends session to forever.
- toivo
- Joomla! Master
- Posts: 17350
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: Next beta
Where does that assumption come from? Is your question related to the earlier topic Introducting PIN feature for backend?
Toivo Talikka, Global Moderator
- darb
- Joomla! Hero
- Posts: 2038
- Joined: Thu Jul 06, 2006 12:57 pm
- Location: Stockholm Sweden
Re: Next beta
I dont see any roadmap for that or any next beta release discussions about this or any discussion when a RC could be planned to be released.
Its interesting to know though what policies set back a Joomla 4.0 rc candidate. Is it the backlog that is the showstopper and does it have to be 100% ( 80 %...) cleaned first ( and what levels ) before a RC - Toivo what you think?
Its interesting to know though what policies set back a Joomla 4.0 rc candidate. Is it the backlog that is the showstopper and does it have to be 100% ( 80 %...) cleaned first ( and what levels ) before a RC - Toivo what you think?
- JurajB
- Joomla! Guru
- Posts: 624
- Joined: Fri Oct 02, 2015 3:28 pm
Re: Next beta
toivo how about this:
I tried to post this feature but it was already done.
I dont know if it is the same as I mentioned.
I tried to post this feature but it was already done.
I dont know if it is the same as I mentioned.
- brian
- Joomla! Master
- Posts: 12781
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: Next beta
If you read more carefully you would see that the feature had already been requested. That is all.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: PIN feature for J! 4
This is the request that @brian mentions: https://github.com/joomla/joomla-cms/issues/28390
As I wrote (and others have commented on GitHub), no-one seems to be too interested in implementing a PIN feature for Joomla! As an "optional feature", maybe someone might like to write a new authentication plugin/login module that replaces the normal username/password login mechanism but, IMO, that would be dangerous as far as site security is concerned.
If people are concerned about the "ease" by which brute force attacks are made or the "ability" to login on a device that's left lying around for others to use and logging into a website simply because they're able to access stored passwords on that device, they could always use two-factor authentication. Unless a PIN "login method used similar anti-brute force countermeasures (e.g. the three-strikes and your out rule) then site security would be at the mercy of brute force attacks. Eventually they would do one of two things:
(a) they would allow people to login; or
(b) they would prevent people (who could login) from being able to login again until the account was re-enabled.
Silly idea, IMO. I have no reason to expect that a PIN-feature will ever get off the ground for J! 4.
As I wrote (and others have commented on GitHub), no-one seems to be too interested in implementing a PIN feature for Joomla! As an "optional feature", maybe someone might like to write a new authentication plugin/login module that replaces the normal username/password login mechanism but, IMO, that would be dangerous as far as site security is concerned.
If people are concerned about the "ease" by which brute force attacks are made or the "ability" to login on a device that's left lying around for others to use and logging into a website simply because they're able to access stored passwords on that device, they could always use two-factor authentication. Unless a PIN "login method used similar anti-brute force countermeasures (e.g. the three-strikes and your out rule) then site security would be at the mercy of brute force attacks. Eventually they would do one of two things:
(a) they would allow people to login; or
(b) they would prevent people (who could login) from being able to login again until the account was re-enabled.
Silly idea, IMO. I have no reason to expect that a PIN-feature will ever get off the ground for J! 4.
- brian
- Joomla! Master
- Posts: 12781
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: Next beta
dont feed the troll
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Next beta: PIN feature for J! 4 ???
I fed him earlier, @brian. Apparently he's still hungry. FYI, the forum moderators also fed him by allowing this topic to remain, separately from his earlier topic on the same subject. I asked the forum moderators to merge this topic with the OP's earlier topic and I'm still waiting for that to happen.
- JurajB
- Joomla! Guru
- Posts: 624
- Joined: Fri Oct 02, 2015 3:28 pm
Re: Next beta
OK I tried little journalist style to fresh this up, but you already know this Im sorry of what this became to be.
Why am I troll? OK I will change myself and take care of this in future.
Thanks,
Have a nice day
PS this isnt the same feature as I declared my ID in my previous IDEA.
Why am I troll? OK I will change myself and take care of this in future.
Thanks,
Have a nice day
PS this isnt the same feature as I declared my ID in my previous IDEA.
- JurajB
- Joomla! Guru
- Posts: 624
- Joined: Fri Oct 02, 2015 3:28 pm
Re: Next beta
Wait guys, my original idea of this pin was an EXTRA security and the login informations will be still active (and accessible via browsers saved informations prefilled into login, so this is why you can have extra pin so the intruder is stopped and without it the intruder just click login with the browser saved prefilled creditials)
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Next beta
It's not going to happen in J! 4.0.
- JurajB
- Joomla! Guru
- Posts: 624
- Joined: Fri Oct 02, 2015 3:28 pm
Re: Will the next beta include PIN authentication?
But why? Its like 2FA but little easier. It helps in the situation I was mentioning. You have browser saved backend login creditials and you dont want to take 2FA, which is longer, you just enable 4 digit pin. This pin will as opposite to a login means it not be saved, stored and offered from browser when SOMEBODY arrives to pc which has login form on the whole display, one click away from accessing your website, so he can change something, delete something or get some information. And only you know this pin so when you come from toilet nobody could login (because they dont know your pin (which will not offer one click solution fo fill in automatically (this is what Im sayin whole time).
NORMAL LOGIN WILL NOT BE ALTERED BY ANY WAY, you will still have to provide name and password (in the backend)
Just as in bank accounts, have pins to secure your money.
You just provide:
username (saved and prefilled)
password (again saved and prefilled)
and pin (which shows (if its set on) after you click login)
- its (much) safer in this AFK situation
- its much faster than 2FA
- its new so nobody know it
- its optional so nobody will be hurt
And now banks are using this, sometimes website damage can hurt as a lost of some money.
So now IS this BAD? Normal login wont be altered, just expanded.
NORMAL LOGIN WILL NOT BE ALTERED BY ANY WAY, you will still have to provide name and password (in the backend)
Just as in bank accounts, have pins to secure your money.
You just provide:
username (saved and prefilled)
password (again saved and prefilled)
and pin (which shows (if its set on) after you click login)
- its (much) safer in this AFK situation
- its much faster than 2FA
- its new so nobody know it
- its optional so nobody will be hurt
And now banks are using this, sometimes website damage can hurt as a lost of some money.
So now IS this BAD? Normal login wont be altered, just expanded.
Last edited by JurajB on Wed Aug 12, 2020 8:34 am, edited 1 time in total.
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Will the next beta include PIN authentication?
You want to stop people accessing your device while you're AFK? Simple: lock the device!
"Banks"—websites, that is—are not "using this [method]". Sure, PINs for EFTPOS have been around for ages. Have you ever left your EFTPOS card lying around while you're AFK? Come on, be serious!
"Locking" J! with a PIN is a silly idea; that's not just my opinion. This is not going to happen in J! 4.
"Banks"—websites, that is—are not "using this [method]". Sure, PINs for EFTPOS have been around for ages. Have you ever left your EFTPOS card lying around while you're AFK? Come on, be serious!
"Locking" J! with a PIN is a silly idea; that's not just my opinion. This is not going to happen in J! 4.
- JurajB
- Joomla! Guru
- Posts: 624
- Joined: Fri Oct 02, 2015 3:28 pm
Re: Will the next beta include PIN authentication?
OK so banks:
I somehow login from the browser data (europe), and now Im able to send money transfer (bank transfer) to my secret account. I just can do this because after filling transfer details the bank sums things up and asks for pin (which I dont have because im intruder and this is NOT my bank account). This pin is generated from the card reader, you put there your card, visa for example it reads it you enter the number from display (generated by bank) and this card reader generates a pin for your transaction.
This is a way longer and safer that this silly pin idea, so you (probably) dont have a Joomla! Card reader in next 10 years available (what will be in 10 years? - it will start data as the money resource (well ok maybe further future). But Im talking about easy pin configurable in backend right before 2FA.
So what about bank level security? I know its not the level of protection bank provide with this generated pins from a visa card reader. Its silly compared to bank, but it still may work as a better, safer and fastly route to great backend Joomla! 4 offers.
I somehow login from the browser data (europe), and now Im able to send money transfer (bank transfer) to my secret account. I just can do this because after filling transfer details the bank sums things up and asks for pin (which I dont have because im intruder and this is NOT my bank account). This pin is generated from the card reader, you put there your card, visa for example it reads it you enter the number from display (generated by bank) and this card reader generates a pin for your transaction.
This is a way longer and safer that this silly pin idea, so you (probably) dont have a Joomla! Card reader in next 10 years available (what will be in 10 years? - it will start data as the money resource (well ok maybe further future). But Im talking about easy pin configurable in backend right before 2FA.
So what about bank level security? I know its not the level of protection bank provide with this generated pins from a visa card reader. Its silly compared to bank, but it still may work as a better, safer and fastly route to great backend Joomla! 4 offers.
- JurajB
- Joomla! Guru
- Posts: 624
- Joined: Fri Oct 02, 2015 3:28 pm
Re: Will the next beta include PIN authentication?
Sozzled do you know what will happen on windows 10 when you lock your computer and go AFK?
It asks you for pin.
It asks you for pin.
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Will the next beta include PIN authentication?
This will be my final response in this topic.
1) The next beta will not include PIN authentication. Full stop. End of discussion.
2) There are no plans to include PIN authentication for J! 4. Again, full stop.
3) I don't have this bank-asks-you-for-a-PIN-on-the-browser-after-you-go-AFK feature. Sorry. Maybe things are different where you live.
4) I do not use a PIN unlock feature with Windows 10. I deliberately disabled that feature. I use password unlocking instead. So what? It's off-topic and it has nothing to do with J!.
If there was support for your idea then, as I wrote in your other topic:
1) The next beta will not include PIN authentication. Full stop. End of discussion.
2) There are no plans to include PIN authentication for J! 4. Again, full stop.
3) I don't have this bank-asks-you-for-a-PIN-on-the-browser-after-you-go-AFK feature. Sorry. Maybe things are different where you live.
4) I do not use a PIN unlock feature with Windows 10. I deliberately disabled that feature. I use password unlocking instead. So what? It's off-topic and it has nothing to do with J!.
If there was support for your idea then, as I wrote in your other topic:
It hasn't happened; no-one is interested in making this happen; it won't happen.
- JurajB
- Joomla! Guru
- Posts: 624
- Joined: Fri Oct 02, 2015 3:28 pm
Re: Will the next beta include PIN authentication?
OK, as you said.
- JurajB
- Joomla! Guru
- Posts: 624
- Joined: Fri Oct 02, 2015 3:28 pm
Re: Will the next beta include PIN authentication?
OK, guys reading this - there are technologies for this already and this functionality is redundant.
My apologies, I was in bit hurry.
Ready for next technologies, now with more skill
My apologies, I was in bit hurry.
Ready for next technologies, now with more skill