@eaplmx@twtxt.net CSS Battle has a passwordless login, I don’t know the implementation but it basically send you and email where you click a link and you’re in.
@justamoment@twtxt.net yarnd
implements this too 👌 Its basically called “Magic Link Auth”. We’ve had this for a while, not sure if anyone uses it though 😅
@prologic@twtxt.net nice! I didn’t know about it, I’d probably use it on desktop.
I haven’t seen it though, from where is it accessible?
@justamoment@twtxt.net From the Loign view:
@prologic@twtxt.net I tried just now but I’m not receiving any email. 🤔 Does it take some time?
@justamoment@twtxt.net @prologic@twtxt.net hey, didn’t know that! , as a fan of magic links, I like that it’s available, but “Login with you Email Address” doesn’t make obvious you are going to receive a Dynamic token to your email, in my mind is like “Instead of your Username and Pwd, user your Email and Pwd”
I’d suggest something line “Send an access to your email”, “Send a Magic link”, etc.
@prologic@twtxt.net @justamoment@twtxt.net Same! It’s not arriving to my Proton.me/Protonmail inbox, nor Spam.
twtxt_twtxt.1.cytd0qqnwbpw@dm4.mills.io | time="2022-10-10T05:17:46Z" level=warning msg="sending emails disabled in configuration"
That would be why it’s not working… Hmmm 🤔
@justamoment@twtxt.net @prologic@twtxt.net sorry for the typos, stupid phone keyboard (and myself not paying attention, ha)
@prologic@twtxt.net likely the root cause 🙃
Try now. fixed my pod’s email configuration 😅
@prologic@twtxt.net Nice!
@eaplmx@twtxt.net Yup 😅
I think Email has been broken on my Pod since some time now since @lyse@lyse.isobeef.org made this commit the default behaviour of the flags/env had changed requiring SMTP_PORT
to be set (used to default toi 25
) ooops 😅
@prologic@twtxt.net I think the Warning is misleading then…
So it’s not disabled, but not setup correctly and for that reason doesn’t send mails?
@eaplmx@twtxt.net Correct. I should probably improve the startup a bit to catch this earlier on. Maybe expose it in the UI as well in Poderator Settings 🤔
@prologic@twtxt.net Sorry, saw this now.
Yes, it’s working for me too now.
@abucci@anthony.buc.ci You are 100% right. Relying on email security is an oxymoron. I’m not sure how many actually use it to auth to their pod, so if there’s enough reason to remove it, I’m happy to do so 👌
@prologic@twtxt.net well, not 100% right but it’s a valid assumption.
If you are able to reset your password by email, it’s a pretty similar level of security than receiving an access token by email. Anyone with access to your mail could get access to your accounts.
Adding a second factor of authentication could help, or using something with Public/Private cripto would be better, like Client Certs, Fido2 or even hipster things.
And also giving alerts that someone else is connected in your behalf is great (like is done for some banks or Google) , but that’s a UX compromise between convenience and security.
@abucci@anthony.buc.ci Nice!
I didn’t know about https://indieauth.net which seems to be based on OAuth 2.0 (that I have used before), I’ll take a look!
@eaplmx@twtxt.net That’s why we make the tokens short-lived. I’m just pointing out and agreeing with @abucci@anthony.buc.ci that Email security is basically non-existent 😅 – Speaking of which… Is there any desire ot strong push to start thinking about introducing 2FA or MFA to yarnd
? 🤔 Note however I have a strong preference for something that is “self-hostable”.
@prologic@twtxt.net I’d like to have a 2FA alternative, at least TOTP (what Google Authenticator uses).
And if you have support for WebAuthn, even better.
Both are self-hostable.
@eaplmx@twtxt.net Okay 🤔
This libary sec51/twofactor: Golang two factor authentication library might do the trick… I’ll do some more research, but I’ve looked into this before, doing TOTP is probably fairly easily doable. 👌
@eaplmx@twtxt.net with WebAuthn we could go even take it further and possibly have a userless login too.
@justamoment@twtxt.net sure! I’m working on a proof of concept (in PHP) if you want to take a look on how it works
@justamoment@twtxt.net that said, WebAuthn/FIDO 2/PassKeys are not that easy to implement but I think they have many improvements for the Authentication problem
FIDO 2 isn’t too difficult. modern-ish browsers will support it natively now so the JS required is quite minimal.
You can take a look at the library I’m using, here:
https://eapl.mx/webauthn/_test/client.html
And the implementation there:
https://eapl.mx/twtxt/login.html
What’s missing in the examples is having an identity tied to your Auth device (Hardware token or OS service like Microsoft Hello, Apple Keychain, Android Fingerprint). The explanation is long, but the abstraction is there. Your identity and private certificates are held for you by some ‘magic’ device.
@xuu Well, it took me like 4 hours to set up, implement and test the PHP library, with all the setup combinations, devices and such.
So I’ll say that using a password with a simple function like https://www.php.net/manual/en/function.password-verify.php
is much easier than a whole library requiring communication between the server, the browser and the auth device… There is a security reason for that (mainly to avoid phishing, which is something I like compared to other solutions like SQRL)