I'm attempting to implement the lockable module in Devise. I want to set it up so that if an account is locked, it shows the locked message regardless of whether the password is correct or not. Importing lockable before database_authenticatable gives the desired behavior, as long as the number of attempts are higher than the max attempts, but there are other reasons why an account might be locked. I've overridden #unauthenticated_message so that it returns :locked when #access_locked? is true, but that didn't seem to do anything. Is there a way to make this happen?
It looks like Devise's standard behavior is not to reveal the locked status of an account unless the password is correct, as this thread argues: https://groups.google.com/forum/#!topic/plataformatec-devise/8BWkoYf-uy8 So to head off requests to make me justify my reasoning, this seems wrong to me. In my mind, the whole point of locking the account is to avoid password enumeration. I don't really care if someone knows a particular email is registered on my site (especially since enumerating on the user creation page is possible anyway), but why give someone limitless attempts to guess a password? I'm open to being convinced, but it seems totally backwards.
I'm facing the same issue. Only thing I could do is increase the number of attempts.
Eg: If I want to allow 3 login attempts, change
config.maximum_attempts = 3
to
config.maximum_attempts = 4
This way the account wont get locked if the user provides wrong password for 2 times and correct password at the third time. But this is not a good solution, although it solves my issue temporarily.
Related
I've been asked to implement 2FA with email codes, like you get from Steam (and many banks), after you haven't logged in for awhile. I initially thought this would have been a flag I could turn on in the Devise config, but I can't find ANY place on the internet that talks about something like this. The desired process would be to generate and email a one-time pad to enter into a confirmation screen. Every reference I've found to 2FA with Devise refers to using things like SMS or an authenticator app.
Working within the framework of Devise, it seems like this might possibly boil down to unconfirming the user every so often, maybe like every other day. That way, the next time they log in, they get another email with a new link to "re-"confirm the login. The best I can find is Warden::Manager.after_authentication to set user.confirmed_at = nil, but this doesn't seem to be doing what I want.
Thanks to a friendly person on Github, I was directed to the Devise plugin, https://github.com/Houdini/two_factor_authentication, which does exactly what I wanted. I knew someone had to have already written it!
I'm not sure that this is a stack overflow appropriate question. If not, I'd appreciate a pointer to a more appropriate forum, as I haven't been able to find one.
I have a small website project that gets a few hundred daily unique users and on average I get one or two people to create an account per day. Yesterday I noticed that more users were signing up (like about 50) and today another 150 users signed up. Wonderful, right? Except that then I noticed that while the emails look legitimate, all of the usernames ended in same letters. My site requires that email be confirmed before a user gets any additional access and none of these accounts have confirmed their email. There is no apparent regularity to the creation of these accounts other than that it is happening with slowly increasing frequency.
My first question is, what is the most effective way to prevent this with the least user impact. The only thing that I can think of is adding a captcha step as part of account registration. I really dislike captcha so if anyone has a better idea for a general solution to this I'd appreciate it.
I'm also interested in this: What could this malicious user be gaining by doing this? It's not yet anything other than a minor nuisance to me. The accounts are easily identifiable and they're not (yet) being created at a rate that could represent anything like a denial of service attack. The only thing I can think is that they're trying to confirm that these emails are registered on my site. But I can't think why that would be useful. Also, if the email addresses are real, they're using my site to spam those email, but the spam is a registration confirmation for my site. So I guess they might eventually get my email provider to shut me down if they keep this up.
Thanks in advance for any help, even if that's a redirect to a different forum.
Other possibly useful information:
My site is hosted on Azure using asp.net mvc5 with identity framework
I believe that the emails are legitimate because my email provider
shows a very small bounce rate (like 1%) on these emails.
There are 2 more options which are SMS-Confirmation(by limiting the phone number), and IP restriction.
I need to create a webpage for a specific customer to use only during certain time frames.
I would like to make this page as secure as possible, by not allowing anybody else to see this page during this time frame. I would also like to make it as easy as possible for this customer to open this page.
My thinking is:
Open time frame
Send customer link via email
Email contains passcode to use to enter the page
After task is complete or time frame expires, the passcode also expires
To me, this seems pretty secure.
My concerns are:
The customer forwarding the email (I don't see why they would do this, so may be a mute point)
There is an inherent flaw in my thinking that I am not aware of.
The time frame is kept in a database. Each user action will have the passcode checked against the time frame to ensure that it is valid.
Is this method secure, within a reasonable degree, or is there a better way that you know of, or an existing technology that deals with this problem already?
As i gather, you want to limit access to third-parties as much as possible. i think you'd want something login-based - have a simple registration procedure with which you can connect the email to a user, let the client choose their own password, give the user rights to access the page, share the link (either use encryption with email or do it with the user account), restrict multiple sessions. Once the client has the information, you can't really ensure that they don't misuse it..
I need to build an application that will only serve people in my workplace. Currently, everyone has a specific company email, which has a unique domain and format.
I created a regular expression that only validates our company email addresses, and configured the application to require email confirmation. This seems like it should be sufficient, unless a malicious person:
Finds a flaw in my expression.
Finds a way around confirmation.
Somehow gets a company email address.
I feel like this isn't secure enough though. Maybe I need to take it one more step, with some kind of pre-approved email list or something?
I'm curious if anyone else has faced this problem. (Most likely.)
Ok, here is my solution:
This will enable a second level of security:
On the User model, create a boolean field called user_active.
Then, create an Admin page that will only allow your admins to check/uncheck accounts.
Then, you can call User.user_active? before logging your users in.
This makes it much harder for somebody who manages to sneak around your security to access your app.
This would be a pain with tons of users, but if you only have 200 or so, this will work.
I got a website where you can sign up for newsletters. Signing up does only take a click from the user to register it's email in the database. I figured that this might be a problem since there's no cooldown/time limit or what so ever, so i guess it would be possible to make some kinda script to spam my database with emails.
I've been thinking of implementing a Captcha or something, but I'd rather go with some kind of cooldown on signing up. Something like, you can only sign up 2 emails each 15 minutes, or something like that. What would be the best solution here?
The method you use is single opt-in. It's no only inefficient but also possible illegal.
For inefficiency, the reason is you may get lots of invalid emails and your system is busy to send emails to these invalid addresses. The reason may come from spam trying and users' errors.
For legal, in Europe you can only send emails to people who opted in your service. The only valid way to prove they are opted in is they have confirmed opt-in link in email. http://www.lsoft.com/resources/optinlaws.asp. Having their emails alone is not a valid reason because you can buy emails from others.
So, the correct strategy is to use double opt-in. When a user fill email and submit, he will get an email asking his confirmation of this action. Once confirmed, he would be a valid subscriber and start to get emails.
Also, with double opt-in, your concern of junk opt-ins will be minimum because it becomes harder to spammers to confirm email, also they don't have too much motivation to do that.
If you have a signup table, you can check the for the number of signups from a particular user in the last 15 minutes
Signup.where("user_id = ? and created_at >= ?", user_id, 15.minutes.ago).count
If the above count is greater than or equal to 2, then don't allow