Staff 2FA

Discussion in 'Spigot Plugin Development' started by valaiyar, May 17, 2016.

  1. So basically I want to start this project;
    To create a plugin where staff members (with a certain permission or somewhat),
    when they login to the server they are not able to do any commands, until they enter their 2FA (Two-Factor-Authentication). Once they have entered their 2FA then they are able to do their normal routine.
    Every time the player logs into the server, a new 2FA is generated for them (XXX-XXX) and will consist of random numbers, and letters.

    Now if you guys don't already know the use for this, here are the reasons this could be used;

    1. If a staff members, account has been hacked, they don't have to worry about it, and if they get a text message without logging onto the server, they know someone else is on their account.

    2. Bungeecord exploit, now there are plenty of servers that are vulnerable to the Bungeecord exploit, and they don't even know it. What the Bungeecord exploit allows you to do is login to an offline server, which is connected to another offline server (which is part of the server you are trying to attack's network) and allows the player to join with whatever username they want.

    "Why don't you just use a password instead of a 2FA?" - Using a password would be better than nothing, but if the staff member has the same password for their mc-account as their password for the server, then it's easy for the hacker. 2FAs would completely rule this out, since they are random.

    Now this would be VERY useful for my server, and I really want to make it...it's just I don't know exactly how.

    Can someone give me a simple explanation of how I would do it? A short paragraph or to would be good :)
     
    • Winner Winner x 1
    • Optimistic Optimistic x 1
  2. Find a text messaging API, learn to use it, use it to send the text message.

    When a player joins, if they don't type in the text message code within twenty seconds they get kicked. When they type it in, add them to an arraylist, only when they're added to this arraylist can they preform any actions.

    Edit: Doing this now.
     
    #3 MineOrity, May 17, 2016
    Last edited: May 17, 2016
  3. Why sms? That costs. has potential issues, like no reception. And requires a phone number (2fa can work via tablets ect).
    https://github.com/j256/java-two-factor-auth <--- EZ

    Shit you can even get the qrcode and send it on a map..
     
    • Agree Agree x 1
    • Creative Creative x 1
  4. I am writing in a java mail back-up, as well as security questions for resetting/bypassing it.
     
    • Funny Funny x 1