Login via email or "What do our machines think about your connection?"

Forums › Geekzone › Login via email or "What do our machines think about your connection?"

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#201726 31-Aug-2016 21:18

Hi folks

I have been working on an idea of a password-less login for Geekzone. Basically you enter your username and receive an email with a token embedded in a link. Once you click on that link you're automatically logged in, no need to remember or enter your password.

The way I see it this means you can have a much more secure password for Geekzone, because it's one less password to remember. You can set an extra long password here since you won't have to use it that much.

Of course security would rely on your email being safe. For this to work I am thinking of adding a switch to your profile. You can turn this feature off if you think it's not for you.

A couple of weeks ago we started using ThisData to record some activities around the site - including successful login, logout, failed login, failed captcha, password reset request, password reset, password change, email change and profile update. This helps a machine learning-based platform to determine a score that indicates the chance your session has been hijacked.

Some of you might have already received an email asking "Was that you?" - with the option to click a link to say Yes or No. The idea is that this input will help the machines learning even more about your account.

We have the option to "verify" an account before performing an action and in the future, depending on the session status we will be able to terminate a session, lock an account, or reset passwords automatically.

Now we go back to my idea of password-less login via email. Once you request the email login and click the link we will verify the action before you actually login into your account. If the result is not "green" then we will simply redirect to the standard login page and ask for your password. We will do this by disabling the email login from your profile automatically if the verify doesn't come back with "green". You will have to enable it again if you want to continue to use it.

Also these links would be only valid for a few minutes. This is great for you folks using the site on a mobile device, where entering (long) passwords is a PITA. I also see these logins as not permanent, so the option to stay logged in would not have any effect on login via email.

If you want to see what your current session status is, visit this simple test page and let us know the result.

The email login will be coming soon. No date set yet.

1 | 2 | 3

13457 posts

Uber Geek

ID Verified

Lifetime subscriber

#1620448 31-Aug-2016 21:27

what does this mean if you use multiple computers/devices to access geekzone? what about in a cooperate environment where say currently you may be logged out/session ended after a period of time?

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1620450 31-Aug-2016 21:33

Nothing changes. You can still have your account logged in to multiple devices or over different networks.

The only thing that changes is that today you enter a username and password. In the future you can either enter a username and password, or enter your username only and providing you have the option to login via email enabled in your account instead of seeing an error message "Please enter username and password" you will receive an email with a link valid for a few minutes that you can click and automatically be logged into Geekzone (if the machines thing it's not someone impersonating your account).

The whole idea is to make it easier to log into Geekzone, and since you don't have to enter your password all the time you have the opportunity to use an even longer password, and I hope one that is not used anywhere else.

Makes sense?

Jase2985

13457 posts

Uber Geek

ID Verified

Lifetime subscriber

#1620452 31-Aug-2016 21:40

yep. just in some situations it may not be easier as you also have to log into your email to receive the email to login, so manual login would be easier :)

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1620453 31-Aug-2016 21:41

Up to you how you want to login. I just think that using this you actually get more secure than just password.

Rikkitic

Awrrr
18657 posts

Uber Geek

Lifetime subscriber

#1620461 31-Aug-2016 22:11

OK, it says I'm green on this machine.

Plesse igmore amd axxept applogies in adbance fir anu typos

scottjpalmer

5973 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1620463 31-Aug-2016 22:15

GREEN!

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1620466 31-Aug-2016 22:17

Rappelle:

freitasm:

If you want to see what your current session status is, visit this simple test page and let us know the result.

Given this feature isn't already enabled (?), and the page requires you to be logged in... would you expect the status of that page not to be green for anyone?

The scale is from 0 to 1. Yes, you can get something different than green right now. I managed to get a 0.90 result by using a couple of things (which I obviously won't disclose) but there quite a few services being used plus device/browser signature, etc.

Rappelle:

Given this feature isn't already enabled (?), and the page requires you to be logged in... would you expect the status of that page not to be green for anyone?

Edit: Just noticed I received an email asking "Was this you?". Unusual enough activity to ask, but not unusual enough for non-green status?

By answering the email YES|NO you are teaching the machine what's normal or not for your account.

As for not using the password, you should assume the same care (if not more) is taken in regards to your email platform (if you have doubts you should change email providers). Assuming you are comfortable that your email platform is safe, then using it as a token should be safe (not on the same level, as we all know emails are like postcards while in transit).

Imagine this scenario: you actually request an email login. Someone intercepts the email while in transit. You may or may not receive the email if the Bad Person decided not to let the email through. If this Bad Person logs in using that email three things can happen: we try to check this is a good login and fail, in which case we deny it, you will receive instead (or in addition) and email asking "Was that you?" and if you respond with a NO then we terminate the session, or the person logs in ok, in which case when you try to login using the email you will receive a message saying the token has been used - you can then go to your profile page and terminate all sessions from there (I've put the link on that page a few years ago for this kind of emergency).

Rappelle:

Would I use it on geekzone? Probably, because it's not a crucial service like banking or email, so convenience surely outweighs need for security. Still weird though.

Actually the reason I am using ThisData is because you may not think it's a crucial service, but it may be in some situations. We have a good traffic of private information being moved around in private messages already. People interact with support from different companies via PM and we make sure that people who claim to represent a company are actually from these companies and have a badge with the company name attached to their accounts. We don't need someone using a company account here collecting customer numbers and personal details.

If you are not comfortable with the idea of email login, I am thinking of making it disabled by default.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1620467 31-Aug-2016 22:21

Rappelle:

Edit2: Answered "no" to "Was this you?", security is still green.

Thanks, will check this. I can see you replied NO - we also have their API posting to our Slack team.

PhantomNVD

2619 posts

Uber Geek
Inactive user

#1620478 31-Aug-2016 22:43

So swapping browsers, resetting the advertising token on my iPhone and bouncing through several different countries via PIA VPN (I did my best to pick more suspect ones like Romania/India etc) and I managed to trigger the 'orange' and get an email that I answered no to... only to then be greeted as 'green'??

Edit: Swapping countries again managed to return the 'orange', what excatly will be the process for logging out all browsers or reclaiming u account if the email addy gets hacked though?

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1620666 1-Sep-2016 09:50

Rappelle:

As for default, if you truly believe this is more secure (probably it is, maybe I'm a little cynical of it so far- considering google captcha probably does similar tracking), then it seems to me it'd be fair to have the email login with user/pw login as opt-out.

Like I said, I'd probably use it for convenience. But something about it still feels uncomfortable. Maybe just a fear of the new/unknown/machine sort of thing.. even as a developer myself

Google reCaptcha is only really good to stop bots trying to force login into someone's account. It does not tell us anything about failures except "BOT/NOT BOT".

I believe it's secure but I also believe many people will fear the new status quo... So I'm still divided on what the default should/would be.

PhantomNVD: So swapping browsers, resetting the advertising token on my iPhone and bouncing through several different countries via PIA VPN (I did my best to pick more suspect ones like Romania/India etc) and I managed to trigger the 'orange' and get an email that I answered no to... only to then be greeted as 'green'??

Edit: Swapping countries again managed to return the 'orange', what excatly will be the process for logging out all browsers or reclaiming u account if the email addy gets hacked though?

There are more than one situations going on here. Eventually we should consider release of the "verify" for actions around the site (before posting, sending a PM or accesing profile pages) so at critical moments we can identify impersonators and stop things happening or at least ask for another credential - the password we didn't ask when you logged in for example.

The fact you had orange when logged in from somewhere and then green when you returned to your "home network" means things are working. It identified a session hijack.

I only introduced the service a week or so ago and it's still learning. It will be a while before I get "verify" before all these actions and some time before email only login is released. But I think it can be a change in terms of how fast you can get into Geekzone, in a safer manner.

PhantomNVD

2619 posts

Uber Geek
Inactive user

#1620945 1-Sep-2016 16:22

Thanks, I'm just trying to help test the system here, and so thought I souls try a "stress test" of various locations to see how it might respond.

FWIW,the last statement of "changing countries and it returns to green" actually referred to swapping to Netherlands, not home country, and the email I received was only a flag for a 'new browser' as I'd swapped out to chrome midway too...

Also, failing Capcha at least 10 times till random clicks 'accidently' succeeded didn't trigger anything either?

Hope this helps see how things go, and happy to try other things to test it if needed too?

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1620949 1-Sep-2016 16:31

Only login triggers emails.

Failed captcha are logged but won't trigger anything mainly because before you login we don't even know if it is you (or someone pretending to be you). Recording captcha failures are only for statistical purposes.

The API access to verify some activity is something I have to add to the important points in the system. For testing only I added it to that page I linked before.

richms

28168 posts

Uber Geek

Trusted

Lifetime subscriber

#1620986 1-Sep-2016 17:04

Does the login happen on the machine that you requested the login from, or the link that is clicked on the email?

One of the sites I once used a couple of times used something similar, where you clicked a link that they emailed, but it was that link that was then taking you to the logged in session, not authorizing the other browser to get logged in, so in essense unless you open links from email in the same browser on the same PC that you wanted to use the site on, it was useless.

Richard rich.ms

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1620988 1-Sep-2016 17:09

Ideally any machine.

An important thing to have in mind about the security... The security in this situation (without having the machine learning thing behind the scenes) is by all means the same as for a password reset.

Basically if your email is compromised then any website that send password resets via email would automatically be compromised as well.

Think of this idea under this new piece of information. What we think can be done is go a step further and if we think the request is bogus then we fallback to password anyway.

Makes sense?

chevrolux

4962 posts

Uber Geek
Inactive user

#1620992 1-Sep-2016 17:34

For what it's worth, I've never had an issue with logins on Geekzone. It seems to stay logged in on my day-to-day laptop, phone (android chrome browser) and home desktop machine. Much better than some other sites that seem to constantly require logging in even though I choose the 'stay logged in' option.

Still, new features are always cool =)

1 | 2 | 3