Click here to Skip to main content
16,015,658 members

The Insider News

   

The Insider News is for breaking IT and Software development news. Post your news, your alerts and your inside scoops. This is an IT news-only forum - all off-topic, non-news posts will be removed. If you wish to ask a programming question please post it here.

Get The Daily Insider direct to your mailbox every day. Subscribe now!

 
GeneralRe: Why choose Uno Platform for your next .NET Project? Pin
MarkTJohnson6-Mar-24 9:51
professionalMarkTJohnson6-Mar-24 9:51 
GeneralRe: Why choose Uno Platform for your next .NET Project? Pin
Nelek6-Mar-24 20:41
protectorNelek6-Mar-24 20:41 
NewsNSA shares zero-trust guidance to limit adversaries on the network Pin
Kent Sharkey6-Mar-24 7:16
staffKent Sharkey6-Mar-24 7:16 
GeneralRe: NSA shares zero-trust guidance to limit adversaries on the network Pin
Nelek6-Mar-24 20:40
protectorNelek6-Mar-24 20:40 
NewsMillions of Google, WhatsApp, Facebook 2FA security codes leak online Pin
Ravi Bhavnani5-Mar-24 21:18
professionalRavi Bhavnani5-Mar-24 21:18 
GeneralRe: Millions of Google, WhatsApp, Facebook 2FA security codes leak online Pin
raddevus6-Mar-24 2:30
mvaraddevus6-Mar-24 2:30 
GeneralRe: Millions of Google, WhatsApp, Facebook 2FA security codes leak online Pin
Ravi Bhavnani6-Mar-24 6:20
professionalRavi Bhavnani6-Mar-24 6:20 
GeneralRe: Millions of Google, WhatsApp, Facebook 2FA security codes leak online Pin
raddevus6-Mar-24 7:19
mvaraddevus6-Mar-24 7:19 
Ravi Bhavnani wrote:
I think they would need to be persisted to a database due to the challenge of maintaining a large in-memory store across geographical boundaries.


I was thinking about this myself and there is a way around it that isn't that difficult -- a solution that makes it so they never have to store codes.

1. They could generate SHA-256 hashes based on time and some other salt.
2. Then they can either:
2a. return 6 chars of the SHA-256 (from anywhere within the 64 character hex-based hash) -- this would be the code that the user would type into the form to verify. Later the server side would just generate the hash again and match to the 6 chars that the user typed.
2b. or calculate a number from the sha-256 hash

The point here is that they use a reproduceable method for generating a sha-256 hash so that they don't have to store values anywhere.
Since these codes would expire within 10 minutes it is unlikely a hacker could recreate the hashes in time anyways.

There are definitely ways -- that aren't that difficult -- so they don't have to store these codes in a db.

it would be very similar to the old key fobs used for vpn sign on. see image[^]

here's a wiki article about them: RSA SecurID - Wikipedia[^]

The vulnerabilities are man-in-the-middle attack but that is true for the other codes too.

modified 6-Mar-24 13:27pm.

GeneralRe: Millions of Google, WhatsApp, Facebook 2FA security codes leak online Pin
Joe Woodbury6-Mar-24 8:53
professionalJoe Woodbury6-Mar-24 8:53 
GeneralRe: Millions of Google, WhatsApp, Facebook 2FA security codes leak online Pin
raddevus7-Mar-24 5:02
mvaraddevus7-Mar-24 5:02 
GeneralRe: Millions of Google, WhatsApp, Facebook 2FA security codes leak online Pin
Nelek6-Mar-24 20:37
protectorNelek6-Mar-24 20:37 
NewsNASA really made its own tabletop RPG for you to play Pin
Kent Sharkey5-Mar-24 8:16
staffKent Sharkey5-Mar-24 8:16 
GeneralRe: NASA really made its own tabletop RPG for you to play Pin
Nelek6-Mar-24 20:30
protectorNelek6-Mar-24 20:30 
NewsDevelopers don’t need performance reviews Pin
Kent Sharkey5-Mar-24 8:16
staffKent Sharkey5-Mar-24 8:16 
GeneralRe: Developers don’t need performance reviews Pin
PIEBALDconsult6-Mar-24 4:49
mvePIEBALDconsult6-Mar-24 4:49 
GeneralRe: Developers don’t need performance reviews Pin
Nelek6-Mar-24 20:29
protectorNelek6-Mar-24 20:29 
GeneralRe: Developers don’t need performance reviews Pin
TNCaver7-Mar-24 6:19
TNCaver7-Mar-24 6:19 
GeneralRe: Developers don’t need performance reviews Pin
YSLGuru8-Mar-24 5:48
YSLGuru8-Mar-24 5:48 
GeneralRe: Developers don’t need performance reviews Pin
YSLGuru8-Mar-24 5:58
YSLGuru8-Mar-24 5:58 
GeneralRe: Developers don’t need performance reviews Pin
CHill608-Mar-24 6:02
mveCHill608-Mar-24 6:02 
GeneralRe: Developers don’t need performance reviews Pin
Sean Ewington8-Mar-24 6:26
staffSean Ewington8-Mar-24 6:26 
GeneralRe: Developers don’t need performance reviews Pin
YSLGuru8-Mar-24 5:58
YSLGuru8-Mar-24 5:58 
NewsGoogle takes aim at SEO-optimized junk pages and spam with new search update Pin
Kent Sharkey5-Mar-24 8:16
staffKent Sharkey5-Mar-24 8:16 
GeneralRe: Google takes aim at SEO-optimized junk pages and spam with new search update Pin
Nelek6-Mar-24 20:28
protectorNelek6-Mar-24 20:28 
NewsThanks to AI, the coder is no longer king: All hail the QA engineer Pin
Kent Sharkey5-Mar-24 8:01
staffKent Sharkey5-Mar-24 8:01 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.