AuthMeReloaded icon indicating copy to clipboard operation
AuthMeReloaded copied to clipboard

Published 20 hours ago verified publisher icon AuthMe

#1524 Drop old TWO_FACTOR hash algorithm, force new password to be input

Open ljacqu opened this issue 7 years ago • 5 comments

Deprecates TWO_FACTOR from being configured as the hash algorithm and forces players with a TWO_FACTOR password to set a new password with /register when they log in. I don't know how many servers actually use this so I went with kicking a user after successfully setting a password.

Open question:

  • Migrate the two factor secret to the new totp column?

ljacqu avatar May 20 '18 10:05 ljacqu

There could be some server that use this method for 2FA in addition to Mojang authentication, but maybe in this case it might be better to choose a dedicated 2FA plugin or what do you think?

TuxCoding avatar May 21 '18 17:05 TuxCoding

Hmm that's a good point. We could have a "mode" in the future that would specify when/how we require a password or a 2FA token, or at least configurable in the config.yml. But for now I'd like to remove the TWO_FACTOR hash method because it's not a hash method and so has various issues (can't migrate away from it as with the other hashes, /changepassword doesn't work, special case when registering, etc.)

ljacqu avatar May 21 '18 20:05 ljacqu

@ljacqu any news?

sgdc3 avatar Sep 09 '18 17:09 sgdc3

Alright, picking this one up again and making it happen in the course of the week ;)

ljacqu avatar Sep 11 '18 20:09 ljacqu

@ljacqu just as a reminder ;)

sgdc3 avatar Nov 01 '18 00:11 sgdc3