#3649 - 2-step login

By Chris Graham
Added 30th Jul 2018, 6:50 AM
4 views

Identifier	#3649
Issue type	Feature request or suggestion
Title	2-step login
Status	Open
Tags	Type: Security (custom)
Handling member	Deleted
Addon	core
Description	Allow login over 2 steps. The first step would be the username, the second the password. The username of an in-progress login would be stored in a new table that had the session ID, the username, and a login ID. That login ID would be presented on the second screen as a hidden field, and used for looking the username back up.
Steps to reproduce
Additional information	This makes it harder for man-in-the-middle attacks, including malware running on a user's computer, from grabbing username and password combinations.
Related to	#3645 - Virtual Keyboard
Funded?	No

The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated

Comments

By Guest posted 11th Sep 2023, 9:15 PM

I saw a good discussion about this. There are actually a few reasons sites are doing it...
1) Security, as described in this issue
2) Third party login integration, e.g. you put in your email and it realizes it is a FB login, or a corporate Okta login
3) Usability. No need for separate login/join/forgot-password links, as it can start the flow of all 3 by knowing what the email address is.

By Guest posted 30th Sep 2023, 11:18 PM

Hmm, while I understand points 2 and 3, I'm not sure I understand point 1 as much. In my mind, I can only see it making man in the middle attacks harder to a small degree. A key-logger for instance would negate the protection, at least the way I'm thinking of it.

By Guest posted 10th Dec 2023, 4:24 PM

I think I previously suggested an on-screen virtual keyboard, which I assumed may help prevent keylogging to some degree if used on the login screen and any other sensitive areas. The issue included a link to some opensource code (which I recall seemed pretty versatile in what you could do) but I have no idea how to search this tracker. There is this simpler version > https://github.com/quintanamo/virtual-keyboard and I'm sure there are others, or maybe the devs could create their own (mobile compatible) version.

By Guest posted 25th Jul 2024, 5:23 PM

"I can only see it making man in the middle attacks harder to a small degree" - a small degree is something. If the information is in different response packets (MITM/captured attack), or different HTML pages (client-side attack), that must be re-aggregated that requires quite a lot more sophistication.

By Guest posted 25th Jul 2024, 5:33 PM

"I think I previously suggested" - that would be #3645. I'll comment on it.

#3649 - 2-step login

Rating

Comments

Statistics