Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#30347] - PIN option to avoid AFK saved-browser-info login

?
avatar 1337180
1337180
12 Aug 2020

Is your feature request related to a problem? Please describe.

Its like 2FA but little easier. It helps in the situation I was mentioning. You have browser saved backend login creditials and you dont want to take 2FA, which is longer, you just enable 4 digit pin. This pin will as opposite to a login is not saved, stored and offered by browser. ANYBODY arrives to a pc when you are AFK (toilet or vacation) this pc in actual situation as it is offers no security at all. One click away from accessing your website is when you access the backend. So INTRUDER can change something, delete something or get some information (superuser is the worst case scenario)
WITH THIS PIN only you know this pin so when you come from toilet/vacation/fly nobody could login (because they dont know your pin) PIN will not be offered as a one click solution fo fill in automatically as creditials use to in modern browsers.
NORMAL LOGIN WILL NOT BE ALTERED BY ANY WAY, you will still have to provide name and password (to get into the backend). Short but secure PIN will be solution.

Just as in bank accounts, have pins to secure your money.

Describe the solution you'd like

You just provide:
username (saved and prefilled)
password (again saved and prefilled)
and pin (which shows (if its set on) after you click login)

  • its (much) safer in this AFK situation
  • its much faster than 2FA
  • its new so nobody know it
  • its optional so nobody will be hurt

And now banks are using this and sometimes damage website, hoax or content lost can hurt as money stolen.
So now IS this BAD? In PIN option classic login wont be altered, just expanded.

Additional context

OK so bank
I somehow login from the browser data (europe), and now Im able to send money transfer (bank transfer) to my secret account. I just can do this because after filling transfer details the bank sums things up and asks for pin (which I dont have because im intruder and this is NOT my bank account). This pin is generated from the card reader, you put there your card, visa for example it reads it you enter the number from bank app to a card reader (generated by transaction variety) and this card reader generates a unique pin for your transaction.

This (maybe in future) doesnt go as far as the bank example. Its short rec. 4-6 digit number, which to enter after user provide classy creditials. [] [] [] [] For example like this.

So this can be used:

  • login, standard
  • 2 FA login
  • login with PIN
  • 2 FA login with PIN

Recommendation:
variable pin size (4-10 digits for example)

avatar 1337180 1337180 - open - 12 Aug 2020
avatar joomla-cms-bot joomla-cms-bot - change - 12 Aug 2020
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 12 Aug 2020
avatar brianteeman
brianteeman - comment - 12 Aug 2020

The situation you describe is resolved without any pin.

  1. Dont save your passwords in the browser
  2. Dont leave your computer unattended

Almost everything you are describing is resolved with TFA and webauthn which are already provided.

avatar Quy
Quy - comment - 12 Aug 2020

Please post PIN related requests in #28390

avatar Quy Quy - close - 12 Aug 2020
avatar Quy Quy - change - 12 Aug 2020
Status New Closed
Closed_Date 0000-00-00 00:00:00 2020-08-12 17:53:31
Closed_By Quy

Add a Comment

Login with GitHub to post a comment