TracerDS
commented
2 months ago I disagree. You would need to have X auth code for X servers. It would also be too intrusive. If you want 2fa, you can create it with lua, http api and modules if needed.
Closed Xenius97 closed 2 weeks ago
TracerDS
commented
2 months ago I disagree. You would need to have X auth code for X servers. It would also be too intrusive. If you want 2fa, you can create it with lua, http api and modules if needed.
CrosRoad95
commented
2 months ago Use custom login solution :)
Xenius97
commented
2 months ago Use custom login solution :)
The problem with this is that the MTA login is very easy to bypass if you know the username and password combination. It's not a good or viable solution.
TracerDS
commented
2 months ago Use custom login solution :)
The problem with this is that the MTA login is very easy to bypass if you know the username and password combination. It's not a good or viable solution.
Like everywhere. You can do email verification in custom login panel, 2fa verification yourself, phone verification, etc.
Xenius97
commented
2 months ago Like everywhere. You can do email verification in custom login panel, 2fa verification yourself, phone verification, etc.
The emphasis is on the basic ACL users, where you can log in using the /login command. You can add any kind of email confirmation, but as long as the basic login allows access with just a username-password combination, it won't be secure. Even though there's an authserial, as we've seen recently, this kind of protection can easily be bypassed if you know someone's serial and configure it using a program.
Of course, you can cobble something together, but there will always be loopholes. That's why I suggested implementing two-factor authentication by default, as it can provide better security than a simple Lua script.
TracerDS
commented
2 months ago The emphasis is on the basic ACL users, where you can log in using the /login command. You can add any kind of email confirmation, but as long as the basic login allows access with just a username-password combination, it won't be secure. Even though there's an authserial, as we've seen recently, this kind of protection can easily be bypassed if you know someone's serial and configure it using a program.
Of course, you can cobble something together, but there will always be loopholes. That's why I suggested implementing two-factor authentication by default, as it can provide better security than a simple Lua script.
Custom login panel would be best for that. All validation would be done on server and if nothing is wrong then and only then login the player to acl account. Its better to have setup email address than 2fa imo
CrosRoad95
commented
2 months ago Use custom login solution :)
The problem with this is that the MTA login is very easy to bypass if you know the username and password combination. It's not a good or viable solution.
so make your custom with 2-fa :) i think mta should not be responsible for such things
Is your feature request related to a problem? Please describe.
Currently, ACL users are only protected by serial and password-based security. The serial can be easily bypassed, even with a spoofer (there have been instances in the past where someone gained access despite this). Therefore, I believe that in 2024, using two-factor authentication (2FA) should be standard practice everywhere, and it would be a great help here as well.
Describe the solution you'd like
When attempting to log in using the
/login [username] [password] ([2fa])command or the logIn() function, it should also request the two-factor authentication code. This could be configured, for example, with asetAccount2FAEnabled(username, bool state)function. If authentication fails, access should be denied accordingly.When you enable 2FA, it should display the secret code, which you can set up in the Google Authenticator app, allowing you to use it from that point onward.
Describe alternatives you've considered
No response
Additional context
No response
Security Policy