Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
projects:sso [2025/07/09 16:16] – Permissions model samp20projects:sso [2025/07/11 12:51] (current) samp20
Line 21: Line 21:
  
 Email login will send a "magic link" to your registered email address. When clicked this will log you in to the original page you were on, not the page opened when clicking the link. This will allow you to login on your phone while clicking the email on your desktop for example. This could also work on the Hackspace portal if desired. Email login will send a "magic link" to your registered email address. When clicked this will log you in to the original page you were on, not the page opened when clicking the link. This will allow you to login on your phone while clicking the email on your desktop for example. This could also work on the Hackspace portal if desired.
 +
 +In order to avoid mis-clicking a "magic link" triggered by a potential attacker, both the email and login page should display a code so the member can check they are clicking the correct link.
  
 ==== Keyfob/card login ==== ==== Keyfob/card login ====
  
-This will be a slight change to our current login method, requiring you to enter your email first before scanning your keyfob/card. This is because the keyfobs aren't particularly secure and could be easily cloned. By treating them more like a PIN we can disable keyfob login after so many attempts for that member.+This will be a slight change to our current login method, requiring you to enter your email first before scanning your keyfob/card. This is because the keyfobs aren't particularly secure and could be easily cloned. By treating them more like a PIN we can disable keyfob login after so many attempts for that member. Without this any attacks would be a lot easier due to the [[https://en.wikipedia.org/wiki/Birthday_problem|Birthday Paradox]].
  
 An additional security measure will be required to ensure these keyfob logins only come from the Hackspace network. For now an IP allowlist should be sufficient, along with a global lockout if a significant number of keyfob login attempts are spotted. It is recognised that IP addresses can theoretically be spoofed, but quite difficult in practice. The global lockout would be a nuclear countermeasure in the extremely rare instance someone does figure this out. An additional security measure will be required to ensure these keyfob logins only come from the Hackspace network. For now an IP allowlist should be sufficient, along with a global lockout if a significant number of keyfob login attempts are spotted. It is recognised that IP addresses can theoretically be spoofed, but quite difficult in practice. The global lockout would be a nuclear countermeasure in the extremely rare instance someone does figure this out.
  • projects/sso.1752077781
  • Last modified: 7 weeks ago
  • by samp20