An authentication protocol to prevent phishing & solve the problem of password reuse?

When writing about best practices for authentication, I find that today’s best practices still leave gaping holes in security, specifically not solving the problem of password reuse by users – websites are currently sent the user’s input which means they could be storing it without them knowing. It also means that a user that is tricked into visiting a malicious site instantly gives away their credentials.

When I talk of passwords, I believe that any authentication key, whether it be generated via biometrics, a physical key or a password should be forced to use this protocol.

I have been unable to find any such protocols online for this purpose, the current idea would be something of the sort (I’m not a crypto expert, this is merely an example).

1) The LoginID is passed to the server, the server responds with a user-set reply to validate they are logging in at the genuine site. 2) The user’s browser is sent a cryptographic key linked to their account, when the user inputs their password, the browser first encrypts this key with the users password & then hashes it, before sending it to the server. The server should then follow best practices for password storage as currently advised.

In sumarry, what is needed: 1) A mechanism when authenticating that is clear to users that they are logging in at the correct location that they believe they are. 2) The website must never receive the user’s actual authentication key.

Why? I first thought of this when thinking about multifactor authentication and thinking it is rather a bad idea to transmit biometrics to anybody for any reason in plaintext, (over encrypted channels, it doesn’t matter), as we have seen all too many times websites not taking adequate security measures, it is not so easy to change ones fingerprint. Included must be some form of mechanism to ensure the user does not transmit credentials to the wrong site. Hence I reccomend the two-stage login, the user login ID (which should not be a username or an email, it should be private), is entered, upon entry the user is sent the prompt they set, this could be an image or text or both, this acts as a way of preventing simple phishing attacks which aim to clone sites. THis is necessary to prevent phishing attacks else malicious sites will still mimick genuine ones, or unattentive users will fall victim. (I reccomend that the browsers flag login inputs as ‘insecure’, informing the user will be sent in plaintext, if websites choose not to adhere to this standard).

Again this is just an example. It just seems that it is not all too complex or costly to implement what would be a real advantage to user security. It would eliminate the need for a password manager & make password breaches a minor inconvenience. And as said earlier, it adresses the pressing issue of biometrics.

Again I’m no crypto expert, this is just a simple example protocol.

I have attempted to find information on protocols for this purpose but have failed. I have seen some answers on stackexchange reccomending such a thing, but not a dedicated post. I apoligise if this is a duplicate, the search terms on this matter predictably throw up irrelevant posts.

`Unregistered Authentication Agent for unix-process` when I restart Apache each time?

My server is centos 7.4 with Apache 2.4.6.
Each time when I systemctl restart httpd,2 messages will added to /var/log/secure.Looks like :

Jan 19 8:23:48 localhost polkitd[493]: Registered Authentication Agent for unix-process:5739:174943 (system bus name :1.119 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Jan 19 8:23:49 localhost polkitd[493]: Unregistered Authentication Agent for unix-process:5739:174943 (system bus name :1.119, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) 

What’s the problem?

Problems with this 2 factor authentication implementation

I’m implementing my own 2 factor authentication using SMS.

We have a gift card service and the users are sent a link to their gift card. Every time they click on their link, we are verifying it’s them by sending an SMS to their phone and prompting them for the code on our site.

I just want to make sure I haven’t overlooked anything.

We first ask a user for their phone number and this is saved in a table called giftee_verification_details:

orderId | phoneNumber ---------------------- 1       |  +35312345 

The server then generates a random 4 digit code and saves in sms_codes table:

id   |   orderId    |    code   |   createdTimestamp     |  codeValidUntil --------------------------------------------------------------------------- 1    |      255     |   8145    |   2019-01-17 10:28:58  |   2019-01-17 10:33:58 

codeValidUntil is the time the code is valid until – in this case 5 minutes from when the code was created.

We send this to the user’s phone. When the user submits this, we check the code is correct and within the correct timeframe, then create a row in a table called sms_login:

id    |     smsCodeId     |    createdTimestamp    |    loginValidUntil ----------------------------------------------------------------------------- 1     |         1         |   2019-01-17 10:39:25  |     2019-01-17 11:39:25 

loginValidUntil is the time this ‘login’ is valid for. So a user can view their gift card details if the current time is less than the last loginValidUntil. If the current time is after this, we redirect, send them another sms code and ask for it in our UI.

Are there any problems with this approach?

How to require computer authentication when accessing windows domain network shares

I have a network containing a mixed collection of Windows domain and workgroup computers.

Currently, the workgroup computers can access file/folder shares hosted on domain computers if the user provides valid domain credentials when connecting. I need to make this impossible.

Is there a way to enforce a requirement that the client computers are members of the domain before granting them access to domain network shares?

The domain controller is running Windows Server 2016 Standard.

Office365 NTLM authentication

Can I authenticate credentials with Office365 based on NTLMv2.

Microsoft describes on Authentication and EWS in Exchange that clients can authenticate with Exchange based on NTLM, but My program connects to to authenticate based on NTLM Office365 replies Basic-Authentication.

Does anyone know what’s the problem? Or how can authenticate Office365 with NTLM authentication technique?

How to keep authentication state in vue.js?

I’m about to write a Web-application using Firebase-authentication & database. I decided to use Vue.js for this.

I found great tutorials for authentication, so that’s pretty clear, but my question now is:

What is a vue-like way to keep track of the authentication-state (uid of the specific user) after successful login? Since this uid will be the key for database access it also has to be secure.

(Open) LDAP – Authentication not working

I installed OpenLDAP on a CentOS7 machine, I can log on locally on the server, so user exists (in passwd). I also run the following LDAP command:

#ldapsearch -h localhost -x -b "cn=ldapuser01,ou=Group,dc=example,dc=com" 

and I get a result so user exists even in ldap directory.

But when I try to authenticate

#ldapsearch -h localhost -x -b "cn=ldapuser01,ou=Group,dc=example,dc=com" -D "cn=ldapuser01,ou=Group,dc=example,dc=com" -w <my password> 

I get error 49 invalid credentials

How pincodes used as an authentication mechanism?

I’m designing a login system for my mobile app where users only need to provide a pincode to authenticate into the app after they sign-up.

I’m more wondering how the backend would work in such a system in general. To begin with, is the pincode saved on the device or server? If it’s on the server, then how it’s passed to the server? Or how it’s associated with the username-password tuple?

Thanks in advance.

What is the difference between using refresh token and Silent Authentication for SPA?

As I understand you must not issue a refresh token for SPA. But there are options to get a new access token like silent authentication.

To make things simple, you supply a refresh token to the Authorization Server(AS) and get a new access token. With silent authentication you pass current access token to some endpoint on the AS and if it is valid you get a new access token.

So please correct me, because I do not understand why silent authentication is more secure approach.

SSH: remove key authentication to setup a new one

I have a VM with an OpenSSH server running on it. I messed up my SSH server public key authentication setting (installed everything in my SSH session on the VM and not from an external terminal on my computer). I can SSH from my Debian session on the VM with the public key but this makes no sense.

I need to remove entirely my SSH key athentication so I can setup a new one correctly and be able to SSH from my OSX terminal to the server running on the VM.

What can I do to start all over clean?

Sorry for being such a noob.