Paging @nikosdion

YOU STILL HAVE A PASSWORD IN YOUR ACCOUNT. USE IT. DON’T BE DAFT.

There is no need to shout and be rude.

It is reasonably acceptable to assume a super admin that uses webauthn daily on a site, to not know or remember his password when he comes to this page

It is an inconvenience then to have to reset his password and then a downgrade in security for him then to have to use a password on a login form when he could use Webauthn

It is strange to authenticate to login to joomla admin with one method only to be asked for a different method here

2FA (with yubikey) is implemented on this form therefore it is a valid assumption all other authentication types should also be implemented.

I’m sorry you don’t feel the same. Joomla is full of half implemented features - I was just pointing out another.

However, I don’t have a strong opinion on it (as the number of joomla admins using webauthn will be so low anyway - as my experience with yubikey shows) and as you are the one with the most knowledge of webauthn it made sense to include you. Then I wake to repeated demands not to tag you. I’ll not include you in future. Sorry to disturb you.

Sent from my iPhone

On 23 Jun 2020, at 05:07, Nicholas K. Dionysopoulos notifications@github.com wrote:


YOU STILL HAVE A PASSWORD IN YOUR ACCOUNT. USE IT. DON’T BE DAFT.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

WebAuthn is not meant to replace the password altogether, it's supposed to reduce the friction and increase security. You should still have a very long, random password ideally stored in a password manager. Using a 64 character password is impractical and can be phished. That's where WebAuthn comes in.

The Joomla core update asks for the username and password not so much as a means to authenticate you but as a means to slow people down. It basically protects the naive from following malicious instructions which would let them hack themselves.

It's not a half baked security check. It's a page which deliberately adds a modicum of friction. You don't want to reduce friction with passwordless login there and it really does not make sense to have Two Factor Authentication.

As to why it's nothing to with security. If you see this page you are already a Super User. If you maliciously got access to the site as a Super User you don't need to use Joomla Update to install malicious code and pwn the site. Use a self-uninstalling-on-postflight Joomla "files" package. I've demonstrated that attack using a component package on Joomla 1.5 back in 2010. If you're trying to dupe a legit Super User it's far easier convincing them that a malicious extension package is legit than convincing them to use a random ZIP as a core Joomla update.

Regarding shouting, here's what happens from my perspective. Every night I go to bed around 11pm. Right after midnight, Phil at-mentions me in a slew of issues. If Phil was a random idiot I would mass delete the emails without reading. But Phil is not an idiot. So I need to read every. single. one. of. them. On days where there's only bones and no meat in there you have made me start my day negatively, killing my momentum. So I get angry and shout – albeit I shouted at the one issue today that you could use some constructive input. Sorry. Please do at-mention me only when necessary and please do search for my past issues. I've been adapting my software for Joomla 4 since alpha 2. Chances are if there's something broken for 3PDs I've reported it already. Heck, that's how half of my J4 contributions went down! I was trying to get my software to work on J4, found something broken or half-baked, opened an issue, filed a PR, got it fixed ?