Paulo Angelo
Posted in Component Development 5 years ago
Hi all,
We are trying to integrate OSSN with GuardianKey. However, we have doubts related to the best way to do this and the best point in the code for this integration.
GuardianKey is a solution to protect systems against authentication attacks. It uses Machine Learning and analyses the user's behavior, threat intelligence and psychometrics (or behavioral biometrics). The protected system (in the concrete case, OSSN) must send an event via REST for the GuardianKey on each login attempt. More info at https://guardiankey.io .
The best way to integrate would be on having a hook in the procedure that process the user credentials submission in OSSN (the script that receives the POST), something such as:
if(POST IN AUTH FORM) {
boolean loginFailed = checkLogin();
GuardianKeyEvent event = createEventForGuardianKey(username,loginFailed);
boolean GuardianKeyValidation = checkGuardianKeyViaREST(event);
if(GuardianKeyValidation){
// Allow access
} else {
// Deny access
}
}
Where is the best place to create this integration? Is there a way to create a hook for this purpose? Should we create an extension?
Any help is welcome.
Thank you in advance.
Best regards,
Paulo Angelo
Arsalan Shah
Replied 5 years ago
I still don't consider this to be integrated with OSSN didn't make sense to me. However you may use following in your component:
<?php
function mynew_com(){
ossn_add_hook('user', 'login', 'guradian_abc');
}
function guradian_abc($hook, $type, $return, $params){
$user = $params['user'];
... do my stuff
return true|false (false to decline login)
}
ossn_register_callback('ossn', 'init', 'mynew_com');
Hi ~Z~ Man,
There are many ways to have credentials compromised. As examples: phishing, malware, vulnerabilities in applications, brute-force attacks, leaks, etc.
Strong passwords are not sufficient to be safe.
Some references:
https://haveibeenpwned.com/
https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach
https://www.acunetix.com/blog/articles/pony-malware-credential-theft/
https://threatpost.com/separ-malware-credentials-phishing/142009/
https://www.zdnet.com/article/this-password-stealing-malware-just-added-a-new-way-to-infect-your-pc/
regards,
Paulo Angelo
Michael Zülsdorff
Replied 5 years ago
If I understand the whole thing correctly, it is essentially about: Can someone else log in under my name and hijack my account or not? And there are actually only two possibilities:
a) I use a strong password - then I don't need any extra protection
b) I'm using a weak password - then I'd better use a strong one
Or, to put it this way: Why should I care about login attempts if I can be sure they'd fail?
Due to the many requests in the past for additonal features and components we have decided to develope a premium version. Features like Hashtags, Videos, Polls, Events, Stories, Link Preview, etc included in it.
$199 (Life Time)
